[Non-Free] The Prosperity Public License 2.0.0

I was trying to locate and fork GitHub’s Dependabot in response to this user’s request on the Gitea forum when I ran into this licence.

A more worthy fork is the GitLab implementation(already posted here), which at the moment is carrying an MIT licence.

1 Like

Good find :sweat: I was not aware and, like yourself, tempted to install it.

1 Like

This seems like a perfect candidate for a federated service.

My schedule is completely packed for this year, but this seems like an interesting problem so leaving resources for anyone that’s interested:

Implementation requirements

GitHub’s implementation has decent, high-level architecture overview to how it works.

  • Every supported forge requires a method to fetch (package management)files from the forge
  • Every supported package manager requires a parser implementation to understand how dependencies are described
  • Every supported package repository(pypy.org, crates.io, etc.) requires implementation to get the latest version
  • Additionally, vulnerable dependencies must be checked and warned(emails to the maintainer or other private and secure channels)[0].

ForgeFed requirements

ForgeFed must include support for fetching files via federation similar to this Gitea endpoint. This is currently not a part of the ForgeFed goals.

Many code analysis services use this endpoint for cheap and on-demand source files fetching, so there is incentive in defining source files fetching within the ForgeFed spec.


[0]: The GitLab implementation relies on GitHub Advisory database, which per GitLab Dependabot documentation, requires a GitHub access token. But I believe the GitHub Advisory database can be replaced with the NIST Vulnerability Database(NVD) feeds. If anyone is aware of other trusted, independent sources, kindly let me know.