~qaul/community

deny.toml: create v1 APPLIED

Alyssa Ross
Alyssa Ross: 2
 deny.toml: create
 deny.toml: create

 2 files changed, 125 insertions(+), 0 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~qaul/community/patches/20683/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH] deny.toml: create Export this patch

Alyssa Ross
This is a configuration file for cargo-deny, which can do licensing
and security checks for us.  I've set it up to check for security
advisories, license compliance, and unrecognized git sources (no
recognized git sources are currently configured).

License compliance for qaul is a bit complicated because of our
unusual licensing, so I've included some guidance for adding a
dependency with a license that isn't already allowlisted that is
hopefully easy enough to follow.
---
 deny.toml | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 deny.toml

diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..813e6d17
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,63 @@
[bans]
multiple-versions = "allow"

[licenses]
# ====================================================================
#                        License checks in qaul
# ====================================================================
#
# The purpose of the license checks is to ensure that all dependencies
# are available under licenses that are compatible with qaul's.
#
# Here's what to do if you want to add a dependency and cargo deny is
# telling you the license is not permitted.
#
# If the dependency is licensed under the GPLv3 or AGPLv3, but does
# not allow the licensee the option of using a later GPL or AGPL
# version (in SPDX this is encoded as "GPL-3.0-only" or
# "AGPL-3.0-only"), we'll have to think very carefully before adding
# it, because it might mean we're not allowed to give qaul licensees
# the option of using a later GPL or AGPL version.  Such a dependency
# should be carefully discussed before being added.
#
# Otherwise,
#
#  * If the dependency's license allows distribution on the iOS App
#    Store, and is compatible with the AGPLv3, add it to the "allow"
#    list below.
#
#  * If the dependency is available under a license that is compatible
#    with the AGPLv3, but does not allow distribution on the iOS App
#    Store:
#
#     * If the dependency will not be used on iOS, add an exception
#       for that library using the licenses.exceptions config key,
#       with a comment containing the license, and an explanation that
#       the dependency cannot be used on iOS.
#
#     * If the dependency comes with a special exception to its
#       license to allow iOS App Store distribution, add an exception
#       for that library using the licenses.exceptions config key,
#       with a comment containing the license, and an explanation that
#       there is a license exception to allow distribution on the iOS
#       App Store.
#
# If none of the criteria above apply, we probably can't use that
# dependency in qaul.  Notably, we can't use GPL or AGPL dependencies
# on iOS if they don't have an App Store exception, and we also can't
# use dependencies that are only available under a specific GPL or
# AGPL version (with no option to use a later version), because we
# want to give people the choice to use qaul under later version of
# the AGPL.
#
# If you're unsure about whether it's okay to use a dependency in qaul
# because of licensing reasons, please get in touch using one of the
# project communication channels.
unlicensed = "deny"
copyleft = "allow"
allow = [
  "MIT",
  "Apache-2.0",
  "BSD-2-Clause",
  "BSD-3-Clause",
]
-- 
2.30.0

[PATCH v2] deny.toml: create Export this patch

Alyssa Ross
This is a configuration file for cargo-deny, which can do licensing
and security checks for us.  I've set it up to check for security
advisories, license compliance, and unrecognized git sources (no
recognized git sources are currently configured).

License compliance for qaul is a bit complicated because of our
unusual licensing, so I've included some guidance for adding a
dependency with a license that isn't already allowlisted that is
hopefully easy enough to follow.
---

v2 of this patch removes BSD-2-Clause from the allowlist, because
since the async-std upgrade cloudabi is no longer in the dependency
graph, and it was the only library using this license, and cargo-deny
warns when licenses are allowed that aren't present in the dependency
graph.  (I think this is a silly warning, but it doesn't seem to be
possible to disable it.)

 deny.toml | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 deny.toml

diff --git a/deny.toml b/deny.toml
new file mode 100644
index 00000000..4b1fde3b
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,62 @@
[bans]
multiple-versions = "allow"

[licenses]
# ====================================================================
#                        License checks in qaul
# ====================================================================
#
# The purpose of the license checks is to ensure that all dependencies
# are available under licenses that are compatible with qaul's.
#
# Here's what to do if you want to add a dependency and cargo deny is
# telling you the license is not permitted.
#
# If the dependency is licensed under the GPLv3 or AGPLv3, but does
# not allow the licensee the option of using a later GPL or AGPL
# version (in SPDX this is encoded as "GPL-3.0-only" or
# "AGPL-3.0-only"), we'll have to think very carefully before adding
# it, because it might mean we're not allowed to give qaul licensees
# the option of using a later GPL or AGPL version.  Such a dependency
# should be carefully discussed before being added.
#
# Otherwise,
#
#  * If the dependency's license allows distribution on the iOS App
#    Store, and is compatible with the AGPLv3, add it to the "allow"
#    list below.
#
#  * If the dependency is available under a license that is compatible
#    with the AGPLv3, but does not allow distribution on the iOS App
#    Store:
#
#     * If the dependency will not be used on iOS, add an exception
#       for that library using the licenses.exceptions config key,
#       with a comment containing the license, and an explanation that
#       the dependency cannot be used on iOS.
#
#     * If the dependency comes with a special exception to its
#       license to allow iOS App Store distribution, add an exception
#       for that library using the licenses.exceptions config key,
#       with a comment containing the license, and an explanation that
#       there is a license exception to allow distribution on the iOS
#       App Store.
#
# If none of the criteria above apply, we probably can't use that
# dependency in qaul.  Notably, we can't use GPL or AGPL dependencies
# on iOS if they don't have an App Store exception, and we also can't
# use dependencies that are only available under a specific GPL or
# AGPL version (with no option to use a later version), because we
# want to give people the choice to use qaul under later version of
# the AGPL.
#
# If you're unsure about whether it's okay to use a dependency in qaul
# because of licensing reasons, please get in touch using one of the
# project communication channels.
unlicensed = "deny"
copyleft = "allow"
allow = [
  "Apache-2.0",
  "BSD-3-Clause",
  "MIT",
]
-- 
2.30.0