1// Copyright 2021 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// Much of this content appears too in README.md 16// When changing this file consider whether the change also applies to README.md 17 18/* 19 20Package compliance provides an approved means for reading, consuming, and 21analyzing license metadata graphs. 22 23Assuming the license metadata and dependencies are fully and accurately 24recorded in the build system, any discrepancy between the official policy for 25open source license compliance and this code is a bug in this code. 26 27A few principal types to understand are LicenseGraph, LicenseCondition, and 28ResolutionSet. 29 30LicenseGraph 31------------ 32 33A LicenseGraph is an immutable graph of the targets and dependencies reachable 34from a specific set of root targets. In general, the root targets will be the 35artifacts in a release or distribution. While conceptually immutable, parts of 36the graph may be loaded or evaluated lazily. 37 38Conceptually, the graph itself will always be a directed acyclic graph. One 39representation is a set of directed edges. Another is a set of nodes with 40directed edges to their dependencies. 41 42The edges have annotations, which can distinguish between build tools, runtime 43dependencies, and dependencies like 'contains' that make a derivative work. 44 45LicenseCondition 46---------------- 47 48A LicenseCondition is an immutable tuple pairing a condition name with an 49originating target. e.g. Per current policy, a static library licensed under an 50MIT license would pair a "notice" condition with the static library target, and 51a dynamic license licensed under GPL would pair a "restricted" condition with 52the dynamic library target. 53 54ResolutionSet 55------------- 56 57A ResolutionSet is an immutable set of `AttachesTo`, `ActsOn`, `Resolves` 58tuples describing how license conditions apply to targets. 59 60`AttachesTo` is the trigger for acting. Distribution of the target invokes 61the policy. 62 63`ActsOn` is the target to share, give notice for, hide etc. 64 65`Resolves` is the set of condition types that the action resolves. 66 67For most condition types, `ActsOn` will be the target where the condition 68originated. For example, a notice condition policy means attribution or notice 69must be given for the target where the condition originates. Likewise, a 70proprietary condition policy means the privacy of the target where the 71condition originates must be respected. i.e. The thing acted on is the origin. 72 73Restricted conditions are different. The infectious nature of restricted often 74means sharing code that is not the target where the restricted condition 75originates. Linking an MIT library to a GPL library implies a policy to share 76the MIT library despite the MIT license having no source sharing requirement. 77 78In this case, one or more resolution tuples will have the MIT license module in 79`ActsOn` and the restricted condition originating at the GPL library module in 80`Resolves`. These tuples will `AttachTo` every target that depends on the GPL 81library because shipping any of those targets trigger the policy to share the 82code. 83*/ 84package compliance 85