Packing Rust binary packages + dependency licensing


#1

Hi all,

I’m looking a bit into starting to put out binary distribution releases for this project and due to lack of previous experience I’m not entirely sure how to handle the licensing side of things.

First of all, the project itself has a few dependencies, which in turn have many other dependencies, etc. Is there an easy/automated way to exhaustively list all of these dependencies as well as their licensing requirements? It seems like all of the relevant crates in question here include license/author info in their metadata, so I’d imagine a tool to dig through the project’s dependencies (even using Cargo.lock where they’re all listed out anyways) to find this info/warn about where it’s not complete could be useful.

Once the dependencies/licenses they use are determined, depending on what they are (assuming they’re all apache 2.0, mit, or dual-licensed) then it’s a matter of proper attribution/license distribution, but I’m a bit lost on the details here as well. Some sources claim attribution is not necessary (including crate authors) but I’d rather be conservative/exhaustive here both in terms of wanting to be safe-not-sorry, but also to give credit where credit is due. What would be the recommended way to package this info/notify the user in this situation about the various licenses/dependencies the project relies on? Is there any way to automate this and make it part of the project’s deployment procedure on the CI servers?

Thanks for the help!


#2

So, I can’t help you with your problem but I can point you to prior discussion:


#3

I can help you a little bit :slight_smile: If you looked through that linked issue you may have seen I wrote a cargo plugin cargo-lichking that is capable of listing and partially checking for license compatibility. I also plan to have it support generating a license bundle at some point, did a little work on that today but still needs quite a bit more till it would really be usable.


#4

Thanks @stebalien and @Nemo157, both that discussion and cargo-lichking were pretty helpful!

After getting an exhaustive list of dependencies I dug around my disk and found the cargo binary distribution, to see how it did its licensing. Basically, it packed up the standard MIT/Apache license files along with this third-party license file which exhaustively lists different licenses and links to where you can see the latest. Using that as a model, I did the same for Rustual Boy, and long story short, test releases are building as we speak :slight_smile:

If anyone spots any errors feel free to open an issue/pull request and/or contact me and we’ll get it sorted, but it all seems right to me at least (though for future readers, IANAL ofc!).

Thanks again for the help!