hubcio opened a new pull request, #3222: URL: https://github.com/apache/iggy/pull/3222
DEPENDENCIES.md (cargo license + CI drift check) broke every dependabot PR; dependabot can't run repo scripts so the file went stale on every lockfile bump. Per ASF release policy, source tarballs ship Cargo.lock but no bundled crates, so LICENSE/NOTICE MUST NOT enumerate them. The real compliance gap was on convenience binaries (Docker images, PyPI wheels) which statically link crates without bundling the license text. Confirmed on general@incubator (2026-05-06): https://lists.apache.org/thread/1okljz8jxt2g0bt3hlgpxyor7zv0nobl Replace with cargo-about + license-checker-rseidelsohn driven by scripts/ci/third-party-licenses.sh, scoped per-artifact via a single composite action shared by pre-merge and publish.yml. iggy-server bundles the embedded web UI, so apache/iggy enumerates web npm deps too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
