Re: OpenChain for projects


Kate Stewart
 



On Wed, Jan 25, 2017 at 1:27 PM, Matija Šuklje <matija@...> wrote:
Die 25. 01. 17 et hora 19.12.09 Jilayne Lovejoy scripsit:
> If upstream projects generated SPDX docs or at least, were
> diligent about putting license information in a format that makes it easy
> to compile into an SPDX document (e.g., using SPDX license identifiers in
> each source file, as recommended in Appendix V of the SPDX spec, v2.1 -
> https://spdx.org/spdx-specification-21-web-version#h.twlc0ztnng3b) then
> some of the issues that come up later downstream would be resolved.
> Likewise, if upstream project didn’t do this, but companies downstream do
> this diligence (which we all know, many of us spend a fair amount of
> effort doing so) generated an SPDX document, and then made that publicly
> available… well, that would help.

This is of course very true. But it leaves open the question, how we can
motivate the upstream FOSS projects to generate the SPDX files or at the very
least properly mark the licenses of the source code (preferably with SPDX
identifiers).

First step is to make sure they have an open source freely available tool
to help them.   FOSSology generating SPDX has been a big step forward 
in the last year.  Before that there were only commercial offerings, which wouldn't
work for upstream communities.  

I know some of us on this list, do in our private time ask (and assist)
projects to at least somewhat properly mark the licenses of their projects –
and even that is not an easy task to achieve in some cases.

One option would be intermediaries such as distributions and code repository
providers. Some distributions already do this to some extent (e.g. Debian,
Gentoo …I’m pretty sure the commercial distros as well), but 1) the data
quality still depends on the upstream,

Improving the transparency about the quality of licensing in upstream projects
by providing them free tools, is a step to improve this.   They are after all the
ones that can authoritatively fix any problems that automatic scanners can't recognize.

We had a bit of a breakthrough last year when github included the SPDX identifiers
in their license API associated with projects. 
 
2) I don’t think any of them distribute
the SPDX files as well (does Debian do so already?),

Debsources stores the information to be able to generate SPDX files,
and Debian has recognized the SPDX license identifiers since the start. 

Fedora/Red Hat is contemplating (at least there have been some discussions)
on standardizing on the SPDX license identifiers but hasn't committed to doing it yet.

Yocto has been prototyping generating SPDX files for a couple of years, and 
there are new tools emerging to help this effort (ie.  see: ELC talk about LiD next
month for instance... )

and 3) it’s still a
humongous cost of resources, which someone has to cover.

Its a step by step, we add what we can to reduce the cost for everyone type of activity. 
Each contributes what they can (and scratches their own itch), and eventually we'll 
get the automation working as it should.  

Thomas and I will be talking about this topic in our FOSDEM talk.   We've
got some ideas on how to help solve this problem we'll be presenting. 
Happy to collaborate with others who have ideas on how to move this along further.   ;-)

Thanks, Kate



cheers,
Matija
--
gsm:    tel:+386.41.849.552
www:    http://matija.suklje.name
xmpp:   matija.suklje@...
sip:    sip:matija_suklje@...

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain




--
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...

Join main@lists.openchainproject.org to automatically receive all group messages.