[RFC] add API to check license compatibility

[nicolas-grekas]

Ensuring that deps in vendor/ have a license compatible with the root project is a tough task.

Other projects exist in js/Rust/Ruby/etc. I computed the following list of interest:

• https://github.com/HansHammel/license-compatibility-checker/
• https://github.com/jpvillaisaza/licensor
• https://github.com/timelsass/wp-license-compatibility/
• https://github.com/Nemo157/cargo-lichking/blob/
• https://github.com/librariesio/license-compatibility/

Later on, we could build a composer plugin like this on top:

• https://github.com/codepunkt/webpack-license-plugin/

This could be a great contribution if anyone is up to learn about the topic and contribute a PR here, if the maintainers agree?

Help wanted.

[kalessil]

Some time ago I've released a package which covers these topics (also ensures dev-deps are not in require-section): https://github.com/kalessil/production-dependencies-guard

[jdrieghe]

We did something similar here, feel free to use as inspiration: https://github.com/madewithlove/license-checker-php

[nicolas-grekas]

Related: https://gitlab.com/metasyntactical/composer-plugin-license-check

[nicolas-grekas]

Note that this RFC is specifically about providing a license compatibility checker.

Plugins that work based on deny/allow lists are out of this initial scope (but could be built/improved on top of this API).

https://github.com/HansHammel/license-compatibility-checker/ looks the most promising for us, with this chart showing what the logic could encode: