GitHub’s tool reduces open source software license violations

GitHub has released its licensed tool, a Ruby gem that caches and checks the status of license dependencies in Git repositories.

Licensed has helped GitHub engineers who use open source software detect potential license dependency issues early in the development cycle. The tool flags any dependencies that require review.

GitHub defines a dependency as an external software package used in an application and a dependency source as a class that can enumerate application dependencies.

What the GitHub Licensed Tool Does

The GitHub tool works as follows:

  • It caches and checks license metadata, looking for dependencies. These dependencies are detected for different language types and package managers in projects in a repository.
  • A configuration file determines where and how to enumerate dependencies, which are enumerated for each source path in the configuration.
  • When a dependency is found, the tool finds the source location in a local environment and extracts the relevant metadata.
  • It uses the Licensee Ruby Gem to determine the license for each dependency and find the license text.

By storing dependency data in a source control repository, the data can be checked against the development workflow. License updates may be required whenever dependencies change, keeping license data current. The source control repository also provides a history of dependency changes.

GitHub is planning future enhancements for Licensed, to work more smoothly in developer workflows and when adding new dependency sources. New dependency sources will also be added.

GitHub notes that the licensed tool can quickly discover and document obvious licensing issues, but is not a substitute for human review of dependencies, nor is it a complete open-source licensing solution.

Where to download the GitHub licensed tool

You can download the licensed tool and find installation instructions in the project’s GitHub repository.

Copyright © 2018 IDG Communications, Inc.