Remove or replace licenses.txt #33749
Comments
silverwind
added
the
type/proposal
silverwind
changed the title
|
I think it would be quite nice if we run trivy before the webpack build and then just add the generated asset into the webpack build. That way, there will be no files in the repo to worry about. |
|
Another thing that trivy can do is generate a license report: generates entries like this: {
"Severity": "LOW",
"Category": "notice",
"PkgName": "github.com/alecthomas/chroma/v2",
"FilePath": "go.mod",
"Name": "MIT",
"Text": "",
"Confidence": 1,
"Link": ""
},It does not contain actual license text, but I think it should be easy to convert this into a text format to put into licenses.txt. |
|
Now the |
|
Unfortunately I don't think short names only are feasible if the license requires to preserve it/the copyright. Though a link to a license might be a solution. There's FOSSA that could automate this but API access is required for that part of cli tool. |
|
A cross-language tool like trivy is definitely the way to go. It simplifies the process a lot. It not including license text or links seems like a bug. Maybe that will improve later. Maybe there are better tools available, I have not searched too much yet. At minimum, it should include the ability to extract licenses from the go and js dependencies. |
|
At the very least we could try to compress the licenses so that are included but don't take up much space. |
All statically embedded files are already gzip-compressed by vfsgen, this file is no exception. |
Feature Description
Given the recent problems with the
go-licensestool, I would propose removing or replacing the licenses.txt file. It serves no clear purpose and is to my knowledge not processed by any tools. So the only "consumers" are humans and I doubt the usefulness.If our intend with this file is to just list dependencies, I think we would be better off generating a SBOM file with tools like https://github.com/aquasecurity/trivy and from a quick check, this is a excellent and well-maintained tool for such a purpose.
For example to create a SBOM file with trivy, try:
The other alternative is to remove the file without any replacement.
The text was updated successfully, but these errors were encountered: