Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collecting licenses of the 3rd party components we used #873

Open
5 tasks
freedomtan opened this issue Apr 4, 2024 · 16 comments
Open
5 tasks

Collecting licenses of the 3rd party components we used #873

freedomtan opened this issue Apr 4, 2024 · 16 comments
Assignees
@RSMNYS @anhappdev
Milestone
Play Store

Comments

@freedomtan
Copy link
Contributor

Let's try to list all the 3rd party components and corresponding licenses we used.

  • flutter
  • flutter plugins
  • tensorflow
  • third-party components used by tensorflow, e.g., libjpg, libpng
  • any other licenses?
@RSMNYS
Copy link
Contributor

RSMNYS commented Apr 15, 2024

I've used anchor/syft to generate the SBOM (Software list of materials). More info is here: https://github.com/anchore/syft
Next, by using sbom-utility: https://github.com/CycloneDX/sbom-utility, I've generated the list of the licenses. The only drawback is the duplication, which we can resolve.

Please find attached sbom, and licenses files
licenses.txt
sbom.json

@freedomtan
Copy link
Contributor Author

@RSMNYS Please try to use syft and sbom-util, so that we can automatically generate "licenses.txt" in our current CI/CD. Please try to send a PR for this.

@RSMNYS
Copy link
Contributor

RSMNYS commented Apr 22, 2024

here are the instructions how to generate sbom and then convert to the list of licenses:

Install syft

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Run syft from the directory

syft -o cyclonedx-json . --exclude './react' > sbom-cyclonedx.json --verbose

convert sbom to the licenses list

./sbom-utility license list -i /Volumes/work/Programming/ScopicSoftware/MLCommons/mobile/sbom-cyclonedx.json --summary --quiet -o licenses.txt

While this works to some degree, I found another tool that is used for the licenses check: scancode-toolkit ( https://github.com/nexB/scancode-toolkit). It scans through the files and trying to find the licenses in those. And looks like it identifies more licenses than the approach above. The output is in the json, so we can use some script to extract the info.

@RSMNYS
Copy link
Contributor

RSMNYS commented Apr 25, 2024

@freedomtan @anhappdev I found yet another tool, I'm using a free version of it, and results are really good. And we can use the free version for our needs. I'm attaching the list that the tool is able to generate. Furthermore we can use the API to fully automate it. Please check.

https://fossa.com

mlcommons_licenses.txt

@freedomtan
Copy link
Contributor Author

@RSMNYS please try to group packages with the same license together and then talk to Scott (@nathanw-mlc I don't know Scott's handle).

@nathanw-mlc
Copy link
Member

I don't know Scott's handle

@swasson488

@freedomtan
Copy link
Contributor Author

Let's ping Scott @swasson488 after @RSMNYS finish the grouping of licenses.

@RSMNYS
Copy link
Contributor

RSMNYS commented May 13, 2024

Hi guys! Here is the grouped licenses. Prepared the python script which parses the output from fossa service, and groups packages by license type.
grouped_packages_licenses.txt

@freedomtan
Copy link
Contributor Author

@RSMNYS to check with some legal guys to see if we can further reduce the file size.

@swasson488
Copy link

swasson488 commented May 14, 2024 via email

@anhappdev
Copy link
Collaborator

I spent some time testing the https://fossa.com mentioned by @RSMNYS. I think the HTML version of the report looks quite good and we can include it either in the app as HTML file or as a web link:
https://app.fossa.com/reports/eb25eabe-7e15-45fb-ac34-b1f1cd848b03

They also has warnings for possible licensing issue:
https://app.fossa.com/projects/custom%2B44937%2Fmobile_app_open-master

@RSMNYS
Copy link
Contributor

RSMNYS commented May 20, 2024

@RSMNYS to check with some legal guys to see if we can further reduce the file size.

Hi guys! We can do this in such way.

  1. Have the licenses directory in the app (for 3rd party licenses). And create the license file, which will have next structure:

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

This project makes use of the following third-party packages under the MIT License:

  • Package1

    • Copyright (c) 2024 Author1

  • Package2

    • Copyright (c) 2024 Author2

So, first license text, then only package name and copyrights.

  1. Also we can include the license section in Readme.md like so:

Licenses

This project is licensed under the Apache 2.0. License. For the full license text, see the LICENSE file.

Third-Party Licenses

This project includes third-party libraries that are licensed under various open-source licenses. The full text of these licenses can be found in the LICENSES directory.

For more details, see the LICENSE file and the LICENSES directory.

@freedomtan
Copy link
Contributor Author

freedomtan commented May 21, 2024
edited
Loading

I spent some time testing the https://fossa.com mentioned by @RSMNYS. I think the HTML version of the report looks quite good and we can include it either in the app as HTML file or as a web link: https://app.fossa.com/reports/eb25eabe-7e15-45fb-ac34-b1f1cd848b03

The HTML version looks good.

They also has warnings for possible licensing issue: https://app.fossa.com/projects/custom%2B44937%2Fmobile_app_open-master

Let's try to check out those possible issues.

@freedomtan
Copy link
Contributor Author

@RSMNYS to check with some legal guys to see if we can further reduce the file size.

Hi guys! We can do this in such way.

  1. Have the licenses directory in the app (for 3rd party licenses). And create the license file, which will have next structure:

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This project makes use of the following third-party packages under the MIT License:

  • Package1

    • Copyright (c) 2024 Author1

  • Package2

    • Copyright (c) 2024 Author2

So, first license text, then only package name and copyrights.

  1. Also we can include the license section in Readme.md like so:

Licenses

This project is licensed under the Apache 2.0. License. For the full license text, see the LICENSE file.

Third-Party Licenses

This project includes third-party libraries that are licensed under various open-source licenses. The full text of these licenses can be found in the LICENSES directory.

For more details, see the LICENSE file and the LICENSES directory.

Let's do it.

@freedomtan freedomtan mentioned this issue Jun 6, 2024
Open
4 tasks
@freedomtan
Copy link
Contributor Author

@TheKanter and @swasson488: Samsung guys said no need for additional redistribution licenses under MLCommons contract. Let's finish the EULA and other licenses.

@Mostelk
Copy link

Mostelk commented Oct 16, 2024

https://app.fossa.com/reports/eb25eabe-7e15-45fb-ac34-b1f1cd848b03 > Need to update for Stable DIffusionv1.5 @swasson488 @TheKanter

@anhappdev anhappdev added this to the Play Store milestone Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RSMNYS RSMNYS

@anhappdev anhappdev

Labels
None yet
Projects
None yet
Milestone
Play Store
Development

No branches or pull requests
6 participants
@freedomtan @RSMNYS @Mostelk @anhappdev @nathanw-mlc @swasson488