On Sat, Feb 26, 2022 at 2:25 AM the Mulhern <amulhern(a)redhat.com> wrote:
Hi!
cargo has the "cargo-license" command that will find all licenses for
a project's dependencies.
Is there something similar to use when packaging for Fedora?
Such a tool would find fewer dependencies and possibly fewer licenses,
since "cargo license" picks up, e.g., winapi dependencies, which are
irrelevant to Fedora.
Thanks for any help you can give me,
The simplest equivalent is probably to do:
1. run a mock build with "--without check" so dev-dependencies are not pulled
in
2. start a "mock shell" inside the chroot after a successful build
3. run a simple shell script like this one:
for i in $(rpm -qa | grep "rust-.*-devel"); do
rpm -q $i --qf "%{LICENSE}\n";
done | sort | uniq
This will give you a list of licenses of all crate dependencies that
were pulled in for your build.
This will not include test-only dependencies (since the mock build was
run with "--without check"), but it might contain licenses of cargo
build-dependencies that are used for proc-macros or build scripts -
but this is the best you can do for now (the python script linked by
Igor has the same limitations).
I think to properly analyze which crates actually get compiled and
linked into the final binary, we would need to parse the crate
dependency tree (including resolving optional dependencies and enabled
features etc.) ourselves, and exclude build-only and test-only
dependencies. Of course, dependency resolution algorithms like that
are not trivial, which is why nobody wrote a program that does this
yet.
Fabio