Discovery: Add classifications and compliance selection to license list
Problem
Currently, in order to mark a license as blacklisted or approved (or unclassified), the admin user has to manually add the license and classification to the “License Management” settings area. This is a manual process and a significant burden on the user to set up. Also, consider projects that already have licenses in them, in which case the admin user would have no awareness of these already committed licenses when applying the classification in the setup area.
Proposal in-progress
Leverage the license list (https://gitlab.com/gitlab-org/gitlab-ee/issues/13582), which displays already existing licenses in a project. By allowing the admin user the ability to apply a classification to the already committed license(s) in a project. Also, allow the admin the ability to proactively add new license(s) and corresponding classifications to the list. These classifications will then display on the non-maintainer view offering team awareness about compliance policies.
Discovery progress:
- Discovery foundations work-in-progress: includes details about current UI, related work, and key considerations
- UX/Product discovery review
- UX/Eng discovery kickoff part 1 and 2
- Discussion with @marin about internal LC build
- Related UX research: ux-research#360 (closed)
- MVC review with UX/BE/FE
- Eng/UX implementation planning session
- Team writes up needed implementation issues
- Team reviewed outcome issues, if all looks good: closing issue
MVC under review
Developer view | Maintainer view | Add license and policy flow | License-Check |
---|---|---|---|
📓 Design annotations and notes
Developer view
1a. Developer view: list displays licenses detected in the project, with matching policy when defined by the admin. Notable changes to existing UI:
- Subtext changes to “findings based on the latest pipeline scan • 2 weeks ago”
- Navigation displays “detected in project” and “Policies” tabs
- Search ability by license name (already exists on list seen in Project>Settings>CI/CD>License Compliance / using the same behavior: license name search)
- Policy classifications are displayed, per admin entry
1b. Developer view: list displays licenses that have policy assigned by project’s admin/maintainer. The UI is adopting the non-maintainer view seen in Project>Settings>CI/CD>License Compliance
- Subtext under header changes to “Policies designated in this project”
- Name and policy column headers
Maintainer view
2a. Maintainer or above UI view: list displays licenses detected in the project, with affiliated policy (if it assigned) and the ability to assign a policy to a license (by dropdown)
- User has the ability to select policy, similar to on the policies tab (2b)
- Licenses are classified as “unclassified” by default
- The drop down includes classification icons
2b. Maintainer or above UI view: list displays policy, which is license added with a classification.
- UI similar/mirrors the UI and behavior seen in the Project>Settings>CI/CD>License Compliance
- UI difference from existing list is the dropdown with the icon and the new classification name options
- Removing it from Project>Settings>CI/CD>License Compliance
Adding license and policy
ii. UI when prompted by user selecting “add license”. This UI nearly mirrors the UI and behavior seen in the Project>Settings>CI/CD>License Compliance (maintainer).
UI notes to ii UI:
- Input title for adding license states: “Add license”
- Adding policy input title states: “Specify policy”
- The options for specifying policy includes “unclassified”
- Ability to add a note, further details in this issue: #10534 (comment 208540926)
- CTA button text is “add”
iii. Once user selects license name and policy CTA become active when user
iv. Licensed added completed - Display includes note that user added to the policy
Activate License-Check
Overall, we are levering existing License-Check functionality. The “License-Check” CTA activates the modal view (seen in settings>general>merge request approvers (seen when clicking “edit”)
- Removes the “name” field since it’s already know
- Updated header title
- Added “learn more about License-Check” and links to documentation
- When active (1+ or more approvers required) confirmation is shown on LC UI
- This issue: #32149 (closed) could be replaced with this proposal
🤔 Post MVC concepts and improvements to consider
Displaying liabilities | List drawer | Applying classifications improvement |
---|---|---|
Licenses have liabilities such as copyrights, notices, and giving credit to the author. This concept surfaces these items in the UI. Which simplifies the UX by displaying the most relevant data the user would otherwise collect one-by-one. This creates a compliance check list of items that need to be addressed. | This leverages the drawer component gitlab-design#559 (closed), for improved UX when user is reviewing licenses. The drawer allows us to display more information, such as license details (vs user having to go to outside URL), displays liabilities, policy assigned (or if amainter lever specifying policy), and affiliated components. Issue: #12682 (closed) (also could use on dependency list) | In the MVC, adding license classifications requires the user to do it one-by-one. For large projects, there will be a lot of licenses and the UI will need to simplify the process. This categorizes the licenses in a familiar UI (si), and the user may multi select and add license to the correct category quickly. |
Compatible matrices for various licenses:
- http://gplv3.fsf.org/wiki/index.php/Compatible_licenses
- https://en.wikipedia.org/wiki/License_compatibility
- https://en.wikipedia.org/wiki/GNU_General_Public_License#Compatibility_and_multi-licensing
- https://janelia-flyem.github.io/licenses.html
early design iterations
Discovery Outcomes
%12.5
#34180 (closed)
Refactor License Management UI to be more reusable#14061 (closed)
Add classifications selection and policies to license compliance- This issue is the first step to adding policies to the license compliance list. It focuses mostly on changing the information architecture, that is merging the new license list with the existing LC section found in settings.
- Closed as duplicate Make it possible to add a new license rule from the license list #34171 (closed) & Add new policy tab to license list #34179 (closed)
#33868 (closed)
Update license classification names in merge request UI- This issue updates the license names seen in the MR, per this issue #12937 (closed). #14061 (closed) will update the new names in the policies section.
Research follow up issue (issue coming soon)
- Recommend scheduling for %12.5 or %12.6 TBD per issue write-up
- Now that we've added policies and license detected in one section. Let's learn about user's perception and answer the following questions: what do they like? What doesn't make sense? What could be improved? What are their expectations with the classifications name?
#13137
Include classification to license name in dependency list%12.6
#33870 (closed)
Add policies to licenses detected in a project- Applies policy classification to licenses detected in projects, when applicable.
- closed duplicate #34143 (closed) Add classifications and compliance display and editing to license list "detected in project"
#32149 (closed)
Display 'License-Check' approval rule in the license compliance section- Displays the status of
License-Check
approval rule in the new license compliance section (user awareness when activated). Additionally, maintainer may enable/edit/on/off the feature directly from this section (same place that policies are added) - Closed duplicate #34175 (closed) Activate and edit License Check rules
#12685 (closed)
LC: user awareness if setup configuration is not complete- This will be updated, per the results of this issue #13992 (closed)
#34209 (closed)
Add SPDX licenses to license compliance- Based on Mo's work on license names, this expands the selections of available licenses a user may select to add to their policies.
#34210
Discovery: obligations concepts- This issue is a discovery to explore how we can surface license obligations. Obligations are requirements that are written in license that when used must be followed. Such as copyright rules and disclosing source/author.