17 releases (8 stable)
| 2.0.0 | Mar 17, 2024 |
|---|---|
| 1.3.0 | Nov 1, 2023 |
| 1.2.1 | Apr 14, 2023 |
| 1.0.1 | Oct 7, 2022 |
| 0.3.0 | Sep 20, 2021 |
#389 in Parser implementations
7,049 downloads per month
100KB
1K
SLoC
cargo-bundle-licenses
Bundle all third-party licenses into a single file.
NOTE This tools is not a lawyer and no guarantee of correctness can be made regarding the licenses that it selects. This tool relies on the information supplied in package metadata to be correct, this is not guaranteed so for "real" scenarios it is recommended that all licenses be reviewed and verified manually as well.
Install
cargo install cargo-bundle-licenses
Usage
The typical use case for this tool is as follows:
- Generate an initial bundle file:
cargo bundle-licenses --format yaml --output THIRDPARTY.yml
- Go through the listed warnings and track down licenses that could not be found and paste the text of the license into the "THIRDPARTY.yml" file.
- Note: if the licence should have been found by
cargo-bundle-licensesthen please create an issue, or even better, a pull request!
- Note: if the licence should have been found by
- In your CI, run
cargo-bundle-licensesin the following way to check for changes and fail if they are found. This will generate a new thirdparty file, apply any licenses that have been added by hand to fill in the "NOT FOUND" licenses, and then compare the newly generated version against the previous version and fail if there are any differences.
cargo bundle-licenses --format yaml --output CI.yaml --previous THIRDPARTY.yml --check-previous
To aid in copy-pasting licenses that couldn't be found for one reason other another the esc tool can be used to properly create escaped license strings to drop into the format of your choosing.
Formats
Currently the supported formats are json, yaml, and toml. A more human readable format that is closer to a classical THIRDPARTY file and already has serde support is being actively sought. Please create an issue or PR if you have an idea for this.
Common warnings and resolutions
The most common cause of missing licenses seems to be workspaces that don't include forward their license files. Go to the repo for the workspace and copy the relevant files from there.
A package license may receive a confidence warning stating that cargo-bundle-licenses is "unsure" or "semi" confident. This means that when the found license was compared to a template license it was found to have diverged in more than a few words. You should verify that the licence text is in fact correct in these cases.
Differences from other tools
cargo-aboutalso finds and aggregates the license texts of all dependencies.cargo-bundle-licensesis different in that it is focused more on generating something and then allowing that to be manually updated with not-found licenses whereascargo-aboutwill not generate output in that scenario. Additionally,cargo-bundle-licensesallows for manual updates to be applied to later versions of the thirdparty file. However,cargo-aboutdoes generate a very nice human readable format, and provides more granularity in what packages / licenses are allowed.cargo-licenseonly generates a list of licenses as found in theCargo.tomlfiles.cargo-denyalso gathers a list of licenses for dependencies, as well as analysingLICENSEfiles, but it does so with the goal of warning or erroring if any dependencies have licenses that the user deems unacceptable; no collection of license text is emitted
Attributions
This crate was heavily inspired by cargo-lichking.
Dependencies
~7–17MB
~197K SLoC