| Bob Badour | afaeb6a | 2021-10-25 16:59:56 -0700 | [diff] [blame] | 1 | // Copyright 2021 Google LLC |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | /* |
| 15 | |
| 16 | Package compliance provides an approved means for reading, consuming, and |
| 17 | analyzing license metadata graphs. |
| 18 | |
| 19 | Assuming the license metadata and dependencies are fully and accurately |
| 20 | recorded in the build system, any discrepancy between the official policy for |
| 21 | open source license compliance and this code is a bug in this code. |
| 22 | |
| 23 | A few principal types to understand are LicenseGraph, LicenseCondition, and |
| 24 | ResolutionSet. |
| 25 | |
| 26 | LicenseGraph |
| 27 | ------------ |
| 28 | |
| 29 | A LicenseGraph is an immutable graph of the targets and dependencies reachable |
| 30 | from a specific set of root targets. In general, the root targets will be the |
| 31 | artifacts in a release or distribution. While conceptually immutable, parts of |
| 32 | the graph may be loaded or evaluated lazily. |
| 33 | |
| 34 | LicenseCondition |
| 35 | ---------------- |
| 36 | |
| 37 | A LicenseCondition is an immutable tuple pairing a condition name with an |
| 38 | originating target. e.g. Per current policy, a static library licensed under an |
| 39 | MIT license would pair a "notice" condition with the static library target, and |
| 40 | a dynamic license licensed under GPL would pair a "restricted" condition with |
| 41 | the dynamic library target. |
| 42 | |
| 43 | ResolutionSet |
| 44 | ------------- |
| 45 | |
| 46 | A ResolutionSet is an immutable set of `AttachesTo`, `ActsOn`, `Resolves` |
| 47 | tuples describing how license conditions apply to targets. |
| 48 | |
| 49 | `AttachesTo` is the trigger for acting. Distribution of the target invokes |
| 50 | the policy. |
| 51 | |
| 52 | `ActsOn` is the target to share, give notice for, hide etc. |
| 53 | |
| 54 | `Resolves` is the license condition that the action resolves. |
| 55 | |
| 56 | Remember: Each license condition pairs a condition name with an originating |
| 57 | target so each resolution in a ResolutionSet has two targets it applies to and |
| 58 | one target from which it originates, all of which may be the same target. |
| 59 | |
| 60 | For most condition types, `ActsOn` and `Resolves.Origin` will be the same |
| 61 | target. For example, a notice condition policy means attribution or notice must |
| 62 | be given for the target where the condition originates. Likewise, a proprietary |
| 63 | condition policy means the privacy of the target where the condition originates |
| 64 | must be respected. i.e. The thing acted on is the origin. |
| 65 | |
| 66 | Restricted conditions are different. The infectious nature of restricted often |
| 67 | means sharing code that is not the target where the restricted condition |
| 68 | originates. Linking an MIT library to a GPL library implies a policy to share |
| 69 | the MIT library despite the MIT license having no source sharing requirement. |
| 70 | |
| 71 | In this case, one or more resolution tuples will have the MIT license module in |
| 72 | `ActsOn` and the restricted condition originating at the GPL library module in |
| 73 | `Resolves`. These tuples will `AttachTo` every target that depends on the GPL |
| 74 | library because shipping any of those targets trigger the policy to share the |
| 75 | code. |
| 76 | */ |
| 77 | package compliance |