we have the following process to establish license compliance internally:
· We have a repository with a requirements.txt that lists whitelisted open source packages (including version numbers)
· When a user wants to use a new open source package or a new version of an already whitelisted package, he creates a pull request for that repo.
· If the reviewer considers that the license is OK, we merge the pull request and then use devpi-builder to automatically upload the whitelisted packages to an OSSWhitelist user/index (see https://github.com/blue-yonder/devpi-builder). The review is a manual process, as it is quite common that the package metadata is inaccurate. However, in practice it only takes about a minute, so the overhead is small.
· We ensure that nobody can use an index inheriting from root/pypi from the production network
This process is not bullet-proof, but works pretty well for us. Here is a talk where I provide some further details of our setup: https://www.youtube.com/watch?v=re7dtwYy5sc
I want to stand up a mirror to proxy/cache the python packages my team is using behind our corporate firewall. A scale challenge we're having is that when Bob wants to use package X, we need to validate that all of package X's dependencies are published under one of a finite set of compliant OSS licenses. Any recommendations how to be more automated about this? Is this a feature of devpi that I just haven't stumbled upon yet? Is there a best practice for implementing this at a step prior to injection into the index? Any pointers/tips/recommendations welcome.
You received this message because you are subscribed to the Google Groups "devpi-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to devpi-dev+unsu...@googlegroups.com.
To post to this group, send email to devp...@googlegroups.com.
Visit this group at https://groups.google.com/group/devpi-dev.
For more options, visit https://groups.google.com/d/optout.