0.2.0 license update#124
Conversation
Regenerate the third-party license inventory covering all optional dependencies (cu12, cu13, mace, uma, aimnet, ase, pymatgen) and dependency groups, via a repeatable .licenses/generate_licenses.sh. Adds a license-overrides.json mechanism to fill licenses for packages whose PyPI metadata lacks a usable SPDX identifier. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Dallas Foster <dallasf@nvidia.com>
Greptile SummaryThis PR establishes a reproducible third-party license inventory for the 0.2.0 release, covering all optional extras (
Important Files Changed
Reviews (1): Last reviewed commit: "0.2.0 license update" | Re-trigger Greptile |
|
|
||
| # pip-licenses runs from an isolated tool env and inspects $PY via --python, | ||
| # so pip-licenses' own deps never pollute the inventory. | ||
| PL=(uvx pip-licenses@latest --python "$PY") |
There was a problem hiding this comment.
Using
pip-licenses@latest fetches whichever version is current at run time, so two engineers regenerating the inventory on different days can get different field names, column ordering, or flag behaviour. The --python flag (used on this same line) was added in pip-licenses 4.1; if @latest ever resolves to a build that drops or renames it, the script will either error or silently scan the wrong environment. Pin to the lowest version that guarantees --python support to make the script fully reproducible.
| PL=(uvx pip-licenses@latest --python "$PY") | |
| PL=(uvx pip-licenses@4.1 --python "$PY") |
| r["LicenseText"] = o.get("evidence", o["license"]) # paper trail, no file shipped | ||
| applied.append(r["Name"]) | ||
|
|
||
| data.sort(key=lambda r: (r["License"].lower(), r["Name"].lower())) # mirror --order=license |
There was a problem hiding this comment.
If
pip-licenses ever returns a record whose License field is None (possible for unusual packages), calling .lower() directly will raise AttributeError and abort the script mid-write, potentially leaving the output files in a partially-overwritten state. The rest of the script already uses the (r["License"] or "UNKNOWN") guard; applying the same pattern to the sort key keeps it consistent.
| data.sort(key=lambda r: (r["License"].lower(), r["Name"].lower())) # mirror --order=license | |
| data.sort(key=lambda r: ((r["License"] or "UNKNOWN").lower(), (r["Name"] or "").lower())) # mirror --order=license |
| ## Overrides | ||
|
|
||
| ```bash | ||
| PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version | ||
| REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild | ||
| ``` |
There was a problem hiding this comment.
The heading "## Overrides" is ambiguous — the previous section already explains
license-overrides.json as the override mechanism. This section is actually about script env-var customisation (PYTHON=, REUSE_ENV=), so a more accurate heading reduces confusion for contributors skimming the file.
| ## Overrides | |
| ```bash | |
| PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version | |
| REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild | |
| ``` | |
| ## Script env-var customisation | |
| ```bash | |
| PYTHON=3.12 .licenses/generate_licenses.sh # change interpreter version | |
| REUSE_ENV=1 .licenses/generate_licenses.sh # skip the venv rebuild |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
ALCHEMI Toolkit Pull Request
Description
Regenerate the third-party license inventory covering all optional dependencies (cu12, cu13, mace, uma, aimnet, ase, pymatgen) and dependency groups, via a repeatable .licenses/generate_licenses.sh. Adds a license-overrides.json mechanism to fill licenses for packages whose PyPI metadata lacks a usable SPDX identifier.
Type of Change
Testing
make pytest)make lint)Checklist
Additional Notes
Tip
This repository uses Greptile, an AI code review service, to help conduct
pull request reviews. We encourage contributors to read and consider suggestions
made by Greptile, but note that human maintainers will provide the necessary
reviews for merging: Greptile's comments are not a qualitative judgement
of your code, nor is it an indication that the PR will be accepted/rejected.
We encourage the use of emoji reactions to Greptile comments, depending on
their usefulness and accuracy.