Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LICENSE detection is OS specific #187

Open
dprotaso opened this issue Mar 3, 2023 · 5 comments
Open

LICENSE detection is OS specific #187

dprotaso opened this issue Mar 3, 2023 · 5 comments

Comments

@dprotaso
Copy link
Contributor

dprotaso commented Mar 3, 2023

We noticed that go-licenses will produce different results depending on the host operating system.

ie. https://github.com/opencontainers/selinux on linux will pull in golang.org/x/sys but on Mac it does not.
@evankanderson
Copy link

Repro case:

git clone https://github.com/knative/func
cd func
go install github.com/google/[email protected]
GOOS=darwin go-licenses save ./... --save_path=third_party/VENDOR-LICENSE --force
git status
# shows two deleted files and one untracked directory
GOOS=linux go-licenses save ./... --save_path=third_party/VENDOR-LICENSE --force
git status
# shows no diffs

In particular, this may affect both go-licenses ability to detect unwanted licenses which are only present for certain architectures.

Ideally, it would be possible to override the use of GOOS through a command-line flag, and be able to supply a list of operating systems (or OS + Arch combinations) which should be combined.

@Bobgy
Copy link
Collaborator

Bobgy commented Mar 7, 2023

Good catch!

So far I think this is intended behavior.

To know complete dependency under all OS, arch and even build tags require running the same license detection process in each combination. (Theoretically, we can dedup license text detection and just iterate through deps for each combination)

I would prefer leaving the choice to users.

Welcome adding documentation for this.

@dprotaso
Copy link
Contributor Author

dprotaso commented Mar 7, 2023
edited
Loading

So far I think this is intended behavior.

This is a bug. Since the go.mod declares it's go version as go1.17 all the indirect dependencies are present. This list contains all the dependencies for all OS versions - but the license saving functionality doesn't include some of them.

@dprotaso
Copy link
Contributor Author

dprotaso commented Mar 7, 2023

Even vendoring (ie. go mod vendor) includes the license - https://github.com/knative/func/tree/main/vendor/golang.org/x/sys

@Bobgy
Copy link
Collaborator

Bobgy commented Mar 8, 2023

You have a point! Welcome contributions!
The main challenge is that go licenses is implemented like go build by using an official go dep traversal library, so you can specify GOOS and build tags etc, but it only builds for this version.
It's worth looking at whether it has options to allow traversing over all OS

@triarius triarius mentioned this issue Apr 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @Bobgy @evankanderson