How do you manage the licenses of the dependencies (libraries) of your project? [closed]

Question

I would like to know if the Nexus repository manager includes a License manager like Artifactory (with this plugin : http://wiki.jfrog.org/confluence/display/RTF/License+Control).

If there is no way to do that in Nexus via a plugin, how do you manage the licenses of the dependencies of your project (with maven) ?

e.g. for a commercial project, I can't include a GPL library into the final artifact (.jar, .war, etc.).

Answer 1

The Artifactory functionality can be emulated using the Maven license validator plugin

http://code.google.com/p/maven-license-validator-plugin/

The practical problem with both these approaches that very few Maven Central modules have up-to-date license information in their POMs. So from what I can see this is a great idea which falls short of a real solution to the problem of assessing your build's license compliance...

My ideal solution is an external set of processes which scan the contents of the Nexus repository for available license information. This information is then used to seed the Nexus Professional's procurement suite to control the contents of an approved repository for use in release (non development builds).

Some binaries contain textual license files and alternatively the associated source code packages could be also be scanned for license and IP information. A number of 3rd party tools are available to perform this task. The ones I've been considering are:

• http://fossology.org/
• http://www.openlogic.com/discovery/
• http://www.blackducksoftware.com/

In conclusion, until Maven Central can provide reliable meta data on module licensing, I think solutions to this problem will remain highly customised and sub-optimal

Answer 2

The approach taken by Artifactory is a bit different, since raw artifact metadata is only used as starting point, but at the end of the day users can complete and amend missing/incorrect license information:

1. At first, POM (including all parent POMs) or Ivy descriptors are used to extract heuristic license information. This auto-discovery step is purely optional.
2. This license information is then attached to artifacts based on their checksum, and is fully editable by users. Admins can update the license details which will stick with the artifact for its lifetime.
3. Every license can be approved or unapproved according to a global policy.
4. At deployment time the license info of all dependencies is read - if unapproved or unknown licenses are found an email alert with the information is sent to preconfigured addresses.

This lets you deal with changes/additions of new dependencies (and their respective licenses) as soon as they are committed and picked-up by the build process.

Another key difference is the ability to handle artifacts with multiple-licenses, where only one of the licenses is approved and the others are not.

You can read more about it here -

http://wiki.jfrog.org/confluence/display/RTF/License+Control