On 25/06/16 04:28, Nico Kadel-Garcia wrote:
It's inherently unpredictable. While many of the standard Maven repository packages have good license, it's not a pre-requisite to provide buildable or open source or free software licenses for packages accepted by various public Maven repositories. The only way to prevent loading of an unexpectedly mislicensed package in doing a normal maven build is to turn off all public repositories and use a well defined local one. And makiong sure of *that* basically means turning off DNS or all networking in your build environment.
Assuming someone has done the work to look at the licenses etc for the stack they pull through, how does koji itself handle the metadata around the content that went in - thats the key thing really, can we preserve that, export it in a way that its further consumeable down the line ? ie. can the buildroots be regenerated ?
regards