I want to stand up a mirror to proxy/cache the python packages my team is using behind our corporate firewall. A scale challenge we're having is that when Bob wants to use package X, we need to validate that all of package X's dependencies are published under one of a finite set of compliant OSS licenses. Any recommendations how to be more automated about this? Is this a feature of devpi that I just haven't stumbled upon yet? Is there a best practice for implementing this at a step prior to injection into the index? Any pointers/tips/recommendations welcome.

Thanks, Andrew