Geek Answers Handbook

How do you manage the dependencies (libraries) licenses of your project?

I would like to know if the Nexus Storage Manager supports a license manager such as Artifactory (with this plugin: http://wiki.jfrog.org/confluence/display/RTF/License+Control ).

If Nexus has no way to do this through the plugin, how do you manage the dependency licenses of your project (with maven)?

eg. for a commercial project, I cannot include the GPL library in the final artifact (.jar, .war, etc.).

+8
repository licensing maven nexus artifactory
source share
3 answers

Artifactory functionality can be emulated using the Maven License Validation Plugin

http://code.google.com/p/maven-license-validator-plugin/

The practical problem with both of these approaches is that very few Maven Central modules have updated license information in their POMs. Therefore, from what I see, this is a great idea that does not correspond to a real solution to the problem of assessing the conformity of your building license ...

My ideal solution is an external set of processes that scan the contents of the Nexus repository for available license information. This information is then used to download the Nexus Professional procurement kit to manage the contents of an approved repository for use in the release (non-line assemblies).

Some binaries contain license text files, and in addition, you can also scan their associated source code packages for license information and IP addresses. Several third-party tools are available for this task. The ones I reviewed are as follows:

In conclusion, until Maven Central provides reliable metadata for module licensing, I think that solutions to this problem will remain highly customizable and not optimal.

+6
source share

The approach taken by Artifactory is slightly different, since the source data is used only in raw artifact metadata, but at the end of the day, users can fill in and change the missing / incorrect license information:

  • First, POM (including all parent POMs) or Ivy descriptors are used to extract the heuristic license. This auto discovery step is optional.
  • This license information is then attached to the artifacts based on their checksum and is fully edited by users. Admins can update license information that will be stored with the artifact for life.
  • Each license may or may not be approved in accordance with global policy.
  • During deployment, license information for all dependencies is read - if unauthorized or unknown licenses are detected, an email notification is sent to preconfigured addresses.

This allows you to deal with changes / additions to new dependencies (and their corresponding licenses) as soon as they are completed and assembled by the build process.

Another key difference is the ability to process artifacts with multiple licenses, where only one of the licenses is approved and the others are not.

You can read more about this here -

http://wiki.jfrog.org/confluence/display/RTF/License+Control

+1
source share

An individual solution for use with Artifactory + Ivy + ant is to scan each module for license information. If a license is found, fill out this license file in Artifactory and update it ivy.xml so that it is available as a published artifact. Then call <ivy:retrieve/> to get a license along with its jar file.

The license can be specified in the ivy.xml module as a URL. In this case, use the ant get task to download the license and write it to a text file.

 [inside log4j ivy.xml as an example] <ivy-module xmlns:m="http://ant.apache.org/ivy/maven" version="2.0"> <info organisation="log4j" module="log4j" revision="1.2.16" status="integration" publication="20120620150430"> <license name="The Apache Software License, Version 2.0" url="http://www.apache.org/licenses/LICENSE-2.0.txt"/> ... </info> </ivy-module>

Alternatively, the license may be included as a text file in a .jar file. In this case, use the ant unjar task to extract the license and write it to a text file.

 [inside junit .jar file as an example] junit-4.8.2.jar/LICENSE.txt

Once the license has been written out as a text file, use the ant xmltask task to add the license as an artifact.

 [inside log4j ivy.xml as an example] <publications> <artifact conf="master" ext="jar" name="log4j" type="bundle"/> <artifact conf="sources" ext="jar" m:classifier="sources" name="log4j" type="source"/> <artifact conf="javadoc" ext="jar" m:classifier="javadoc" name="log4j" type="javadoc"/> <!-- next line added --> <artifact conf="master" ext="txt" name="log4j" type="license"/> </publications>

Post the modified ivy.xml and license back to Artifactory.

 <ivy:resolve file="${ivy.xml}" /> <ivy:publish resolver="${resolver}" pubrevision="@{rev}" status="integration" overwrite="true" forcedeliver="true" haltonmissing="false" srcivypattern="${ivy.local}/[organisation]/[module]/ivy-[revision].xml" > <artifacts pattern="${ivy.local}/[organisation]/[module]/ivys/ivy-[revision].[ext]" /> <artifacts pattern="${ivy.cache.dir}/[organisation]/[module]/licenses/[module]-[revision].[ext]" /> </ivy:publish>

Use <ivy:retrieve/> to obtain a license along with your jar file when typing with your assembly.

 <ivy:retrieve pattern="${ivy.local}/[artifact].[ext]" conf="compile, runtime" type="jar, license" />
0
source share

More articles:


All Articles