-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warnings from assembly files in golang.org/x/* #120
Comments
Good points raised for "ignorable warnings teaches people to ignore all warnings". I think the main decision comes from -- "how does OtherFiles include extra dependencies into the built go binary?"
I have never worked with Go + assembly files, but if this is true, we can safely ignore .[sS] files then. |
I too am unsure, so I sent a question to https://groups.google.com/g/golang-nuts (I guess it's waiting to get through moderation at the moment). |
I got an answer to this on an intranet message board:
I would expect that for .s files we can skip the warning. For other suffixes including .S, the C preprocessor might include otherwise-licensed files from the host filesystem, so we could like to a README entry that describes this. How does that sound? |
That sounds good! |
So I guess we can avoid the warning when .s files are detected. |
Is there any workaround for this? Is it possible to ignore .s files with current release? Thanks. |
I'm afraid not, I never got around to implementing the suggested approach :( |
Has there been any work done here? |
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. Closes #139. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/
By utilizing the neat go-licenses[0] tool, scanning the cached Go dependencies against an allow list of licenses, which is currently leaned from Icinga DB, works quite like a charm. This, however, only includes Go code and produces warnings for (transitive) included Go Assembly code[1]. If we are planning to include other non-Go artefacts in the future, those also might need to be identified - REUSE[2] might help there. [0] https://github.com/google/go-licenses [1] google/go-licenses#120 [2] https://reuse.software/ (cherry picked from commit 10d5b1b09f6ab81734a24c5a32bd63a1138750c0)
When run on projects that refer to x/sys or x/crypto, go-licenses prints warnings like:
It might print 10-20 warnings per run, which can be confusing the first time you see them, but the tool is operating as expected as these files don't introduce external dependencies (as far as I'm aware - I'm not sure how
go mod
would handle an external dependency from a non-go file).This doesn't block use of the tool but it's nice to avoid printing warnings in the normal case, as it teaches people to ignore warnings.
I can imagine the following alternatives although I'm not sure how to choose between them:
OtherFiles
:go mod
will ignore these files so they are unable to pull in external dependencies. Instead, those projects should vendor the external dependencies and record this in their LICENSE file..[sS]
files inOtherFiles
, as assembly doesn't have a way of modelling external dependencies, whereas plausibly other files might..[sS]
files from golang.org/x/*, after manually reviewing them to check that they don't have external dependencies.--ignore
flag in Add --ignore option #46. This would allow users to record in a script which files they have manually reviewed. This would be useful if we expect users to manually review these files, rather than ignoring the warnings.I do not know how I would review the files listed in the "non-Go code" warning for external dependencies that should be listed. For example, asm_linux_amd64.s has no reference to an external repository (that I can see), but includes textflag.h, which has the same license header. Is this sufficient to conclude that the warning can be ignored? What is the user expected to do when they see this warning? Can it be automated?
The text was updated successfully, but these errors were encountered: