2d8be6f0dd
Documentation & licensing: - Add the EUPL-1.2 licence (LICENSE.md) and set the project licence; refresh the README (name origin wink, updated feature list, documentation index). - Add CONTRIBUTING, SECURITY, CODE_OF_CONDUCT, CHANGELOG, AUTHORS, and THIRD_PARTY_NOTICES, plus docs/ (ARCHITECTURE, BUILD, USER_GUIDE, SHORTCUTS, LICENSE_COMPLIANCE) and .github/ (CI workflow, issue/PR templates). - Bring docs/FILE_FORMAT.md in line with current behaviour (code & chart slides, per-slide TLP comment, annotation .ink.json sidecar, chart data/ CSVs). Open-source compliance: - Add tool/check_licenses.dart and a `make licenses` target (wired into check-full and CI) that verifies every resolved dependency uses a recognised open-source licence. A scan of all 151 packages and bundled assets found only OSI-approved licences. Charts (Fase 1.1): - Replace the chart CSV textarea with an in-app editable data grid (editable series/labels/values, add/remove row & column, read-only when linked). - Centralize the linked-CSV directory name (`data/`) in a shared constant. Also normalize formatting repo-wide with `dart format` and fix one curly-braces lint, so `make check` and CI are green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2.7 KiB
OciDeck — Open-Source Licence Compliance
OciDeck is released under the EUPL-1.2 (see ../LICENSE.md).
This document records the policy that the project only includes open-source
software, how that is verified, and the result of the latest check.
Policy
Every dependency and every bundled asset must be available under an OSI-approved open-source licence. No proprietary or source-unavailable components are shipped.
Accepted licence families: MIT, BSD (2-/3-Clause), Apache-2.0, MPL-2.0, ISC, Zlib, BSL-1.0, Unlicense, SIL OFL-1.1, CC0 (and EUPL-1.2 for OciDeck itself). Anything else — in particular GPL/AGPL/LGPL or a missing/unknown licence — is flagged for review before it can be added.
How to verify (repeatable)
A script scans the resolved package graph (direct and transitive) and classifies each licence:
make licenses # or: dart run tool/check_licenses.dart
It exits non-zero if any package has an unrecognised or non-open-source licence,
so it also runs as part of make check-full and can be wired into CI.
The script reads each package's
LICENSEfile from.dart_tool/package_config.json, so runflutter pub getfirst. Re-run it whenever dependencies change.
Bundled (non-package) runtime assets — the JavaScript inlined into the HTML
export and the bundled font — are tracked by hand in
../THIRD_PARTY_NOTICES.md.
Latest result
All 151 resolved packages use recognised open-source licences:
| Count | Licence |
|---|---|
| 108 | BSD-3-Clause |
| 30 | MIT |
| 9 | Apache-2.0 |
| 1 | MPL-2.0 (dbus, Linux only) |
| 1 | BSD |
| 1 | BSL-1.0 |
| 1 | EUPL-1.2 (OciDeck itself) |
Bundled assets: marked (MIT), highlight.js (BSD-3-Clause), Mermaid (MIT, bundling
DOMPurify under Apache-2.0/MPL-2.0), MathJax (Apache-2.0), and the EB Garamond
font (SIL OFL-1.1, see assets/fonts/OFL.txt). The OciDeck-owned brand images in
assets/images/ and the theme in assets/themes/ are the project's own work.
Conclusion: no non-open-source software is included.
A note on Apache-2.0 and the EUPL
A few components are Apache-2.0 (e.g. MathJax in the HTML export, and some Dart packages). Using Apache-2.0 libraries as unmodified dependencies in an EUPL-1.2 work is fine. Note, however, that Apache-2.0 is not on the EUPL's list of "compatible licences" (which governs the outbound relicensing of derivative works under Article 5 EUPL). This only matters if you create a combined derivative work that must be relicensed; it does not affect bundling these libraries as-is. If you need formal certainty for a specific distribution scenario, have it confirmed by someone with licence expertise.