go-licenses
addlicense
go-licenses | addlicense | |
---|---|---|
1 | 1 | |
767 | 672 | |
1.2% | 0.9% | |
3.4 | 2.9 | |
11 days ago | 4 months ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
go-licenses
-
Shouldn't have happened: A vulnerability postmortem
> I don't think the exact URL is the problem, it is the fact that it is so easy to include dependencies from external repository that is the problem. In Rust every non-trivial library pulls in 10s or even 100s of dependencies.
But it's also quite a lot easier to audit those dependencies, even automatically (incidentally, GitHub provides dependency scanning for free for many languages).
> Then there is the issue of licencing - how to verify that I am not using some library in violation of its licence and what happens if the licence changes down the road and I don't notice it because I am implicitly using 500 dependencies due to my 3 main libraries?
This is also an automated task. For example, https://github.com/google/go-licenses
> go-licenses analyzes the dependency tree of a Go package/binary. It can output a report on the libraries used and under what license they can be used. It can also collect all of the license documents, copyright notices and source code into a directory in order to comply with license terms on redistribution.
> Rust and Go have solved memory safety compared to C and C++ but have introduced dependency hell of yet unknown proportions.
I mean, it's been a decade and things seem to be going pretty well. Also, I don't think anyone who has actually used these languages seriously has ever characterized their dependency management as "dependency hell"; however, lots of people talk about the "dependency hell" of managing C and C++ dependencies.
> Python and other dynamically typed languages are in a league of their own in that on top of the dependency hell they also do not provide compiler checks that would allow user to see the problem before the exact conditions occur at runtime.
I won't argue with you there.
addlicense
-
Add License Headers to Your Code Files
This is where license header adding tools come in handy. One commonly used tool is the addlicense project under the 'google' organization. 'addlicense' allows you to add license statements to specified files via command-line interaction. However, 'addlicense' has limited functionality; it only adds license headers to files. Some issues raised for 'addlicense' include:
What are some alternatives?
gitgen - Generate license and gitignore files from Go without an internet connection. It also has a convenience CLI, but can be used as a library as well
nwa - A More Powerful License Header Management Tool
automaxprocs - Automatically set GOMAXPROCS to match Linux container CPU quota.
doublestar - Implements support for double star (**) matches in golang's path.Match and filepath.Glob.
JDK - JDK main-line development https://openjdk.org/projects/jdk
cobra - A Commander for modern Go CLI interactions
nwa-examples - Examples of NWA functionality