[Buildroot] [RFC 0/2] script to find package licenses

Khem Raj raj.khem at gmail.com
Fri Aug 5 02:03:28 UTC 2016 


On 8/4/16 9:33 AM, Thomas Petazzoni wrote:
> Hello,
> 
> On Thu, 4 Aug 2016 19:46:02 +0530, Rahul Bedarkar wrote:
> 
>> Legal information is a kind of thing that we can't automate completely.
>> But we want it to be correct when new package is added or version bumps.
>>
>> This patch set attempts to add a script to find license information from
>> package source files to verify or correct legal info for buildroot packages.
>>
>> Legal information may get outdated with version bumps or even may not get
>> correct in first place if source package does not provide any license files.
>> In such cases, we need to look into file header to get that information.
>> But it could be very difficult if there are number of source files.
>>
>> find-licenses script scans package source files for known licenses to
>> find under which license package is released. It aggregates license
>> information for all source files found in a package.
>>
>> For finding license, we rely on file's license header. Generally
>> most of packages use standard license headers which helps us to detect
>> license of packages.
>>
>> Currently it supports notable licenses. But we can later add other
>> licenses based on regx.
>>
>> Script outputs licenses found on standard output file-wise, directory-
>> wise and final aggregation of all licenses found. It also lists files
>> which don't have license header. Directory-wise license listing will be
>> useful when different components are licensed under different license.
>>
>> Since final license list is just aggregation of licenses found for all
>> source files, we can not surely say if package is dual or
>> multi-licensed or different components are licensed under different
>> license. That's why we can't use final license list directly in our
>> package .mk file, but it at least helps us to find or verify license
>> information quickly.
> 
> Thanks for this proposal. However, there are already some tools that do
> the same thing I believe. I'm thinking especially at the tools used by
> the Fossology project (https://www.fossology.org/). It is surely more
> complicated to install and use that your Python script, but it is also
> a lot more complete, and even more importantly: maintained by other
> people.

And SPDX. Something like this

https://spdx.org/tools/community/fossologyspdx

would be quite apt.

> 
> Best regards,
> 
> Thomas
>

More information about the buildroot mailing list