Collect licenses of built go binaries
While checking dependency_licenses.json for https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2402, I've noticed that go projects we build do not have their dependencies listed.
I was thinking about this a bit and realised that this should not be a problem of the package. We are building the project and getting the final binary that we ship so we should only care about the license of the final product.
@gitlab-build-team @joshlambert Should we push the license compatibility check back to these projects?
"Offenders":
gitlab-elasticsearch-indexer
gitlab-pages
gitlab-pages
node-exporter
postgres-exporter
prometheus
redis-exporter
registryActivity
I had thought one of the benefits of the ability to automatically collect these and do license validation was that we didn't depend on a developer to do the right thing. It was more of a final check to ensure we don't accidentally ship something we shouldn't.
Is the issue that Go can automatically download dependencies and so it is hard for us to determine what those are?
@joshlambert check this list for example. I don't think it is up to us to go and check all these licenses and whether they are compatible with the final binary. In my opinion, all these projects should have their own license check. We only ship the final binary and we should only be responsible of showing that license and making sure the final binary is compatible with the rest of our stack
mentioned in commit 7b362f36
