I’m looking a bit into starting to put out binary distribution releases for this project and due to lack of previous experience I’m not entirely sure how to handle the licensing side of things.
First of all, the project itself has a few dependencies, which in turn have many other dependencies, etc. Is there an easy/automated way to exhaustively list all of these dependencies as well as their licensing requirements? It seems like all of the relevant crates in question here include license/author info in their metadata, so I’d imagine a tool to dig through the project’s dependencies (even using
Cargo.lock where they’re all listed out anyways) to find this info/warn about where it’s not complete could be useful.
Once the dependencies/licenses they use are determined, depending on what they are (assuming they’re all apache 2.0, mit, or dual-licensed) then it’s a matter of proper attribution/license distribution, but I’m a bit lost on the details here as well. Some sources claim attribution is not necessary (including crate authors) but I’d rather be conservative/exhaustive here both in terms of wanting to be safe-not-sorry, but also to give credit where credit is due. What would be the recommended way to package this info/notify the user in this situation about the various licenses/dependencies the project relies on? Is there any way to automate this and make it part of the project’s deployment procedure on the CI servers?
Thanks for the help!