Re: OpenChain for projects

Kate Stewart

Hi Jeremiah,
On Wed, Jan 25, 2017 at 1:53 PM, Jeremiah Foster <jeremiah.foster@...> wrote:

​One interesting thing here is that Debian has all the metadate required already for generating SPDX files:

DEP5 isn't quite SPDX,  its missing a few fields, but is certainly very similar to the SPDX tag:value format.   In fact,  we effectively started with DEP5 and added fields to it that the lawyers felt essential to accurately capture the information and be able to tell if a file in the project has been updated or not since the licensing information was generated.   

Debian has captured all the necessary fields though to generate SPDX files in the debsources project last year. [1]
All one needs is a tool to go over the metadata and create SPDX file. I think there may be a tool to do that in Debian already in fact, but if not it should be pretty easy. Then, once you can do this from Debian you'd be able to do it for the Debian derivatives (Ubuntu, Mint, etc.) which would cover a lot of the distro space. 

Agree with you,  if Debian starts generating SPDX part of builds automatically, the distros will pick it up,  esp. if their customers start asking for it (via OpenChain).   However we're going to need a proof of concept, and get FOSSology more robust interacting with the command line to make this possible.     Step by open source step.... ;-)


Join to automatically receive all group messages.