Hi all, [this is not a promotional email in any way, I'm not affiliated with the service/company discussed here]
I just discovered fossa.com, self described as "Realtime license and vulnerability management for open source dependencies". For context, Apache Superset has a dependency tree rich of 700+ deps (crazy right?), at that scale license management is huge burden at best, or worse: a legal risk for the ASF. Oh btw I tried searching the ASF mailing lists for existing threads on this topic but failed miserably, apologies if this has been discussed already. I couldn't set up the FOSSA service on the projects repo I'm PMC on as I don't have the required Github rights, but I set it up against my fork and it's all you could ever hope for in terms of license-related automation. See it in action here: https://app.fossa.com/projects/git%2Bgithub.com%2Fmistercrunch%2Fsuperset/refs/branch/master/396a655de13ced6e25f4e793b0eb281bf4f4cd79/issues/licensing?status=resolved It seems like we may want to set this up against most if not all ASF projects. As the ASF is in the line of fire for legal troubles around licensing, it seems like automation/prevention would be strategic, especially in a world where micro packages and frequent releases are trending. Without using a service like this one, bumping a release, or even just allowing an open version range can result in integrating non-permissive licenses in a bundle, in ways that could take months to catch, if ever. For the record I opened a ticket with ASF infra to set it up on `apache/incubator-superset`: https://issues.apache.org/jira/browse/INFRA-18719 I'm hoping this goes smoothly, and that Apache Infra is ok granting the required perms to FOSSA. I wanted to bring the attention to this as this seems like something very useful for most projects. Thoughts? Max
