2. LICENSES: Every opam package comes with a license which should help companies to choose which ones to use. For the problem Hongbo mentioned, maybe one could develop a tool that does the following: given a white-list of licenses that the company has agreed are OK (e.g. ISC) and a list of opam packages, the tool would warn if any of the (recursive) dependencies does not have a “good” license.

Here is an example of a script that provides (almost) such a tool

```

PACKAGES=irmin

for p in $(opam list --recursive --short --sort --required-by $PACKAGES); do

echo "$p $(opam show $p -f license)"

done

```

The name of the licenses could probably be standardized a bit to make it easier to come up with white-lists.