Distribution Prep / License checking

# Distribution Prep / License checking ###### tags: `By_Ivan` Used Tool list: * Docker * [fossology](https://www.fossology.org/) * [Dive](https://github.com/wagoodman/dive) * [pip-licenses](https://pypi.org/project/pip-licenses/) Basically, Fossology is a database designed for license scanning. It would unzip(if needed) the document and then explore the file word-by-words. Dive is used to inspect every layer of a docker containers. ## Scenario 1: Inspecting a big application containing many packages Create a clean environment via docker first (e.g. docker run ubuntu). Inside the clean environment, install the target application, then check the added packages. If the application is installed by package managers, their license can be check by using the fallowing command. APT (deb): ```shell= awk '/^License:/ { print $2 }' /usr/share/doc/*/copyright | sort -u grep -l <specific_license> /usr/share/doc/*/copyright ``` rpm (cent): ```shell= rpm -qa --qf "%{name}: %{license}\n" ``` OR, pack-up all the files from the container and export to Fossology, a open source license compliance software system. By scaning through the entire container, every License file can be found and be shown in Fossology's GUI. Also, Fossology supports scanning a git-hub repository. ## Scenario 2: A docker image ![layers](https://i.imgur.com/BCkKiMz.png)</br> [explaining docker container licensing](https://www.linuxfoundation.org/blog/2020/04/docker-containers-what-are-the-open-source-licensing-considerations/) When checking a image's license, every layer defined by dockerfile inside the image should be checked. (Here we're not referring to the dockerfile, it has different regulations) Dive is designed to open up a docker image and show all information of each layer inside the given image. ```shell= dive <your-image-tag> ``` ## Scenario 3: Inspecting python packages Open source modules often include their own Licenses in git-repo. More likely, some of the source codes could be treated as domain knowledge and would not require License. If using a module which is installed by pip, its license can be checked by "pip-licenses". ```shell= pip-licenses --from=mixed --with-system # --from=mixed : check license from both Trove Classifiers and metadata # --with-system : show system packages ``` ___