Skip to content

tech-debt: systematic third-party license attribution (D1) #159

Description

@dean0x

Problem

The repository currently has no mechanism for generating or enforcing third-party license attribution:

The new similar dependency is Apache-2.0 in an MIT-licensed project, highlighting the need for systematic attribution.

Solution

Adopt cargo-deny (or cargo-about) to generate and enforce third-party license attribution across all dependencies:

  • Create deny.toml with license allowlist (permissive OSS families: MIT, Apache-2.0, Apache-2.0-WITH-LLVM-exception, ISC, BSD-*, 0BSD)
  • Generate NOTICE file or license attribution document automatically
  • Integrate into CI as a hard gate (see ci: add cargo-deny / cargo-audit supply-chain gate #136 for supply-chain CI gate)
  • Document in RELEASING.md and/or top-level LICENSE file

Note: This is closely related to issue #136 (supply-chain CI gate). Both are solved by adopting cargo-deny. Consider coordinating the implementation: cargo-deny's deny.toml can be configured to both audit licenses (D1) and block RUSTSEC advisories (D2).

Acceptance Criteria

Reference

Surfaced in: PR #137 (mds fmt formatter) code review, deferred-to-tech-debt section.
Related: #136 (supply-chain CI gate — both issues solved by cargo-deny)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions