Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: Add uv license command #10292

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Draft: Add uv license command #10292

wants to merge 7 commits into from
+2,229 −182

Conversation

ryanleary
Copy link

@ryanleary ryanleary commented Jan 3, 2025
edited
Loading

Summary

Add a new command, uv license, to uv to assist with dependency license audit needs in response to #8156. Design of command arguments loosely informed by https://crates.io/crates/cargo-license.

Example invocation:

$ cat pyproject.toml
[project]
name = "project"
version = "0.1.0"
requires-python = ">=3.12"
dependencies = [
    "scikit-learn==1.4.1.post1"
]
classifiers = [
    "License :: OSI Approved :: MIT License"
]
$
$ uv license --universal
project: 0.1.0, MIT License
scikit-learn: 1.4.1.post1, BSD License
joblib: 1.3.2, BSD License
numpy: 1.26.4, BSD License
scipy: 1.12.0, BSD License
threadpoolctl: 3.4.0, BSD License

As of right now, the implementation is very rough, with this PR intended to gather feedback on the approach, with the initial focus on pulling license information from Trove classifiers. A refined implementation would pivot to following PEP-639 guidelines, return license information as SPDX expressions, and gracefully fall back to Trove, and finally the (legacy?) license field.

I'd like feedback on whether or not the current approach:

  • is a relatively expensive license() method on Package objects to trigger calls to DistributionDatabase.get_or_build_wheel_metadata sensible? is a better way that I am missing that would be minimally disruptive to the overall uv codebase?
  • There are many Metadata-related structs within the codebase which explicitly comment that they contain only the subset of fields required for dependency resolution. Adding additional optional fields here breaks this constraint and I'm not sure if is desirable or would be acceptable to the maintainers.

Note: the display code is entirely copied from uv tree and cut down. I would rewrite to enable display organized by package or license/serialization to machine-readable summary, etc.

Any feedback appreciated. I am new to both the uv codebase and Rust, but will continue on this if we can agree on an approach.

@ryanleary ryanleary marked this pull request as draft January 3, 2025 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryanleary