GitHub’s tool reduces open source software license violations
- 21 March, 2018 21:00
GitHub has open-sourced its Licensed tool, a Ruby gem that caches and verifies the status of license dependencies in Git repos.
Licensed has helped GitHub engineers who use open source software find potential problems with license dependencies early in the development cycle. The tool reports any dependencies needing review.
GitHub defines a dependency as an external software package used in an application and a dependency source as a class that can enumerate application dependencies.
What the GitHub Licensed tool does
GitHub’s tool works as follows:
- It caches and checks license metadata, looking for dependencies. These dependencies are detected for various language types and package managers across the projects in a repo.
- A configuration file determines where and how to enumerate dependencies, which are enumerated for each source path in the configuration.
- When a dependency is found, the tool finds the source location in a local environment and extracts the relevant metadata.
- It uses the Licensee Ruby Gem to determine the license of each dependency and find the license text.
By storing dependency data in a source control repo, the data can be checked as a function of the development workflow. Updates to licenses can be required whenever dependencies change, keeping license data up to date. The source control repo also provides a history of dependency changes.
GitHub plans future refinements for Licensed, to operate more smoothly indeveloper workflows and when adding new depdencey sources. New dependency sources will be added as well.
GitHub notes that the Licensed tool can discover and document obvious license issues early but is not a substitute for human review of dependencies, nor is it a complete open source license solution.
Where to download the GitHub Licensed tool
You can download the Licensed tool and find installation instructions in the project’s GitHub repo.