Package License Metadata for Tooling

Andreas Cord-Landwehr cordlandwehr at kde.org
Tue Jun 22 20:26:14 BST 2021


Hi, here is a short wrap-up of our today's BoF
(activate participants*: Helio, Volker, Johan, me)

The whole topic about license checking can be grouped into three areas:

1. Correct statements of copyright & license information in source files
- we think that we are on track here with our REUSE/SPDX statements
- it is agreed that it is not a big problem that we do not have full REUSE 
compliance in most of the older repositories (specifically, missing license 
information in build system config files)

2. Statement of outbound licenses == what is the license of a compiled lib or 
application?
- we discussed the option to extend our yaml files with license information 
about the specific artifacts
- if the artifacts are too complicated, a fallback could be to look folder-
wise (though that would have several draw-backs)
- outbound license information files in the yaml files could be helpful input 
for packagers, definitely they will help for Yocto packaging and for Helio's 
tooling

3. Full distribution check of dependencies
- question here: if our lib links to another lib, is this legally right?
- we got the insight that this very much depends on the precise versions at 
compile time (because licenses of libs may change; e.g., see openssl)
- for now we excluded the correctness checks of interdependencies of such 
licenses of different libs
- what is thinkable right now: CMake could generate a list of dependencies 
with the precise versions as they are used for configuration/compilation

Next Steps:
1. come up with a proposal how yaml files could be extended to state artifact 
licenses
2. Helio will check how helpful the existing yaml metadata are already for his 
tooling

Stretch:
3. check if existing ECM outbound license check tooling can be adapted to use 
the metadata from the yaml files
4. integrate updated metadata files into Yocto tooling to get rid of manual 
maintenance :)

Cheers,
Andreas

* == unmuted themselves at least once :)

On Dienstag, 22. Juni 2021 08:29:11 CEST Andreas Cord-Landwehr wrote:
> Hi, yesterday morning Helio and me had an interesting discussion about
> metadata for license check tooling. There are a few different use cases:
> 
> - Helio needs those for his FOSS license tooling
> - I would really like to improve the generation of Yocto license metadata,
> which we currently have to keep in sync manually
> - maybe this is something that distros would also like to use in their QA
> processes...
> 
> Bottom line, we ended in scheduling a BoF for this evening (Tuesday), 6 PM
> (UTC) i.e. 8 PM in Berlin time.
> 
> Key question is: Do we see a convenient way to generate package metadata for
> the binary artifacts and/or dependencies to other libraries without
> creating a horrible maintenance burden?
> 
> Cheers,
> Andreas






More information about the Kde-frameworks-devel mailing list