Problem
The repository currently has no mechanism for generating or enforcing third-party license attribution:
The new similar dependency is Apache-2.0 in an MIT-licensed project, highlighting the need for systematic attribution.
Solution
Adopt cargo-deny (or cargo-about) to generate and enforce third-party license attribution across all dependencies:
Note: This is closely related to issue #136 (supply-chain CI gate). Both are solved by adopting cargo-deny. Consider coordinating the implementation: cargo-deny's deny.toml can be configured to both audit licenses (D1) and block RUSTSEC advisories (D2).
Acceptance Criteria
Reference
Surfaced in: PR #137 (mds fmt formatter) code review, deferred-to-tech-debt section.
Related: #136 (supply-chain CI gate — both issues solved by cargo-deny)
Problem
The repository currently has no mechanism for generating or enforcing third-party license attribution:
NOTICEfile or license attribution outputsimilarin PR feat: mds fmt auto-formatter #137, PyO3 in PR feat(python): native Python bindings via PyO3 (mdscript) #131) add license complexityThe new
similardependency is Apache-2.0 in an MIT-licensed project, highlighting the need for systematic attribution.Solution
Adopt cargo-deny (or cargo-about) to generate and enforce third-party license attribution across all dependencies:
deny.tomlwith license allowlist (permissive OSS families: MIT, Apache-2.0, Apache-2.0-WITH-LLVM-exception, ISC, BSD-*, 0BSD)Note: This is closely related to issue #136 (supply-chain CI gate). Both are solved by adopting cargo-deny. Consider coordinating the implementation: cargo-deny's
deny.tomlcan be configured to both audit licenses (D1) and block RUSTSEC advisories (D2).Acceptance Criteria
deny.tomlcreated with license allowlistcargo deny checkpassesReference
Surfaced in: PR #137 (mds fmt formatter) code review, deferred-to-tech-debt section.
Related: #136 (supply-chain CI gate — both issues solved by cargo-deny)