<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>

SPDX-License-Identifier: MPL-2.0
-->

# embed-licensing

Embed licensing information of dependencies to comply with free software licenses.

This allows outputting a list of all dependencies at runtime.

## Features

- collecting dependencies at build-time using a proc macro
  - name
  - version
  - authors (from Cargo.toml)
  - license (SPDX expression from Cargo.toml’s `license` field or content of [`license-file`](https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields))
  - website (`homepage`, `repository` or `documentation` from Cargo.toml)
- collecting licenses of dependencies
- collecting license exceptions of dependencies
- optional collection of development (only for direct dependencies) and build dependencies
  (by default, only normal dependencies are collected)
- optional limiting of dependencies to a specific platform (target and cfg options)

### Non-Features

- ready to use HTML template
  (every application has different needs)
- CLI tool (there are already great tools out there, see [Alternatives](#user-content-alternatives))
- manual override of wrong or incomplete data
  (this should instead be changed by the crate upstream)

## Accuracy

The mechanism this crate uses can never be exact.
For determining the licenses of a dependency,
only the `license` and `license-file` attributes of a Cargo manifest are used.
Similarly, the authors are also only pulled from the Cargo manifest.

Therefore, you should always consult with a legal professional,
if the output of this crate meets the obligations of all licenses of your dependencies,
before using this crate.

## Alternatives

- [cargo-about](https://github.com/EmbarkStudios/cargo-about) is the initial inspiration for this project.
  It chooses a different approach and generates a static file from a handlebars template.
- [cargo-deny](https://github.com/EmbarkStudios/cargo-deny) is a linter for dependencies,
  including their licenses.
  It also offers the `cargo deny list` subcommand for listing all licenses of dependencies
  (and the dependencies that use them).
- [cargo-license](https://github.com/onur/cargo-license) outputs a list similar to `cargo deny list`,
  but has a more configurable output.
- [cargo-cyclonedx](https://github.com/CycloneDX/cyclonedx-rust-cargo) creates a [CycloneDX](https://cyclonedx.org/) SBOM for a crate.

All alternatives do not allow running at compile time (as a proc-macro)
and using the result at runtime.

## License

This project is available under the terms of the [MPL 2.0](./LICENSES/MPL-2.0.txt).
The exact details can be found in the header of each file.