Reads pylic configuration in pyproject.toml
and checks licenses of installed packages recursively.
Principles:
- Every license has to be allowed explicitly (case-insensitive comparison).
- All installed packages without a license are considered unsafe and have to be listed as such.
Only installed packages are checked for licenses. Packages/dependencies listed in
pyproject.toml
are ignored.
pip install pylic
pylic
needs be run in the directory where your pyproject.toml
file is located. You can configure
safe_licenses
: All licenses you consider safe for usage. The string comparison is case-insensitive.unsafe_packages
: If you rely on a package that does not come with a license you have to explicitly list it as such.ignore_packages
: Packages that will not be reported as unsafe even if they use a license not listed as safe. This is useful in case an existing projects want to start integratingpylic
, but are still using unsafe licenses. This enables first to ignore these packages temporarely, while they're being replaced, second to already validate newly added or updated packages against the safe license set and third to integratepylic
frictionless into CI/CD from the get go.
[tool.pylic]
safe_licenses = [
"Apache Software License",
"Apache License 2.0",
"MIT License",
"Python Software Foundation License",
"Mozilla Public License 2.0 (MPL 2.0)",
]
unsafe_packages = [
"unlicensedPackage",
]
ignore_packages = [
"ignoredPackage",
]
pylic
provides the following commands (also see pylic help
):
check
: Checks all installed licenses.list
: Lists all installed packages and their corresponding license.
Create a venv to start with a clean ground and activate it
python -m venv .venv
source .venv/bin/activate
Install pylic
and create an empty pyproject.toml
pip install pylic
touch pyproject.toml
Install all your dependencies
pip install <packageA> <packageB>
Run pylic
pylic check
The output will be similar to
Found unsafe packages:
pkg_resources (0.0.0)
Found unsafe licenses:
pip (18.1): MIT License
zipp (3.4.1): MIT License
toml (0.10.2): MIT License
pylic (1.2.0): MIT License
setuptools (40.8.0): MIT License
typing-extensions (3.7.4.3): Python Software Foundation License
importlib-metadata (3.9.0): Apache Software License
The return code of pylic
is in this case non-zero due to unsafe licenses. This allows usage of pylic in CI.
echo $? # prints 1
As these licenses and packages are all ok we can configure pylic
accordingly
cat <<EOT >> pyproject.toml
[tool.pylic]
safe_licenses = ["Apache Software License", "MIT License", "Python Software Foundation License"]
unsafe_packages = ["pkg_resources"]
EOT
After rerunning pylic check
the output now reveals a successful validation
✨ All licenses ok ✨
Also the return code now signals that all is good
echo $? # prints 0
Use pylic list
to list all installed packages and their corresponding licenses.
In cases where the safe licenses or unsafe packages are centrally managed keeping the configuration in perfect sync to the installed packages might be too cumbersome or even impossible. To support these use cases the check
command provides the two options (see also check --help
) --allow-extra-safe-licenses
and --allow-extra-unused-packages
. These options only affect the returned status code and will keep all corresponding printed warnings unchanged.
pylic
provides a pre-commit integration. Follow the instructions and enable automatic license checking on commits by adding
- repo: https://github.com/ubersan/pylic
rev: v<version>
hooks:
- id: pylic
to your .pre-commit-config.yaml
file.
Required tools:
- Poetry (https://python-poetry.org/)
Run poetry install
to install all necessary dependencies. Checkout the [tool.taskipy.tasks]
(see taskipy) section in the pyproject.toml
file for utility tasks. You can run these with poetry run task <task>
.
Creating a new release is as simple as:
- Update
version
in the pyproject.toml and the__version__.py
file. poetry run task release
.