Hi Andrew,


we have the following process to establish license compliance internally:


·         We have a repository with a requirements.txt that lists whitelisted open source packages (including version numbers)

·         When a user wants to use a new open source package or a new version of an already whitelisted package, he creates a pull request for that repo.

·         If the reviewer considers that the license is OK, we merge the pull request and then use devpi-builder to automatically upload the whitelisted packages to an OSSWhitelist user/index (see https://github.com/blue-yonder/devpi-builder). The review is a manual process, as it is quite common that the package metadata is inaccurate. However, in practice it only takes about a minute, so the overhead is small.

·         We ensure that nobody can use an index inheriting from root/pypi from the production network


This process is not bullet-proof, but works pretty well for us.  Here is a talk where I provide some further details of our setup: https://www.youtube.com/watch?v=re7dtwYy5sc


Best regards,



From: <dev...@googlegroups.com> on behalf of Andrew Rothstein <andrew...@gmail.com>
Date: Thursday 11 August 2016 at 22:01
To: devpi-dev <dev...@googlegroups.com>
Subject: [devpi-dev] license compliance check


I want to stand up a mirror to proxy/cache the python packages my team is using behind our corporate firewall. A scale challenge we're having is that when Bob wants to use package X, we need to validate that all of package X's dependencies are published under one of a finite set of compliant OSS licenses. Any recommendations how to be more automated about this? Is this a feature of devpi that I just haven't stumbled upon yet? Is there a best practice for implementing this at a step prior to injection into the index? Any pointers/tips/recommendations welcome.


Thanks, Andrew

You received this message because you are subscribed to the Google Groups "devpi-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to devpi-dev+unsu...@googlegroups.com.
To post to this group, send email to devp...@googlegroups.com.
Visit this group at https://groups.google.com/group/devpi-dev.
For more options, visit https://groups.google.com/d/optout.