Document state and ongoing policy in respect of licenses for transitive dependencies across client libraries

[QuintinWillison]

This was asked by a customer:

Could you please provide me the details of any third party licenses that apply to any software you distribute? Is there a link on your web site for this? I want to make sure we're aware of any license terms that we may be subject to when we embed Ably libraries in our software.

See [this internal Slack discussion|https://ably-real-time.slack.com/archives/C8SPU4589/p1624446348423100].

paddybyers has stated:

the policy is that we rely on third-party dependencies in two categories:

• open source-licensed components with non-copyleft licenses such as Apache, MIT, BSD. Dependencies with other open source licenses should be reviewed on a case-by-case basis and there really should be a record of that approval;
• third-party commercially-licensed code, such as the Mapbox SDK. This is the only example of this so far, and therefore this category doesn't apply to the normal Ably SDKs.

Under this issue we should:

Audit and document licenses for dependencies across client libraries - including deciding where to document each ... it would make sense for this to live in some conformed and accessible format within each client library repository

Define a policy for documenting licenses for dependencies as we add them in future

[QuintinWillison]

Some suggestions internally of tooling that may assist:

• FOSSology - open source license compliance software system and toolkit
• OSS Review Toolkit - assists with the tasks that commonly need to be performed in the context of license compliance checks, especially for (but not limited to) Free and Open Source Software dependencies