How to generate SPDX Information

How to generate SPDX Information

[Christian Ege]

Hello,

due to the fact there is a license troll who actively sue German
companies. I did some research to comply ith the need to provide the
copyright information within my YOCTO builds. My research ended up
with the spdx.class which includes support for the fossology tool. But
the current version of fossology does not support the spdx plugin used
in the spdx.class anymore [1] This plugin is not updated since 4
years. As an alternative there is the DoSOCSv2 tool [2] for which a
Patch by Lei Maohui exists which was not accepted and Lei ended up in
a separate layer called meta-spdxscanner [3].

So my specific question is, what are the recommended actions to comply
to provide copyright information with the sourcecode/binary? What is
the state of the art at the moment and how do the users of oe/yocto
solve this requirement.

Thanks in advance,
Christian

-- 
[1] https://github.com/FOSSology-SPDX/fossology-spdx
[2] https://github.com/DoSOCSv2/DoSOCSv2
[3] https://layers.openembedded.org/layerindex/branch/master/layer/meta-spdxscanner/

Re: How to generate SPDX Information

[Joshua Watt]

On Tue, 2017-11-28 at 14:57 +0100, Christian Ege wrote:
> Hello,
> 
> due to the fact there is a license troll who actively sue German
> companies. I did some research to comply ith the need to provide the
> copyright information within my YOCTO builds. My research ended up
> with the spdx.class which includes support for the fossology tool.
> But
> the current version of fossology does not support the spdx plugin
> used
> in the spdx.class anymore [1] This plugin is not updated since 4
> years. As an alternative there is the DoSOCSv2 tool [2] for which a
> Patch by Lei Maohui exists which was not accepted and Lei ended up in
> a separate layer called meta-spdxscanner [3].
> 
> So my specific question is, what are the recommended actions to
> comply
> to provide copyright information with the sourcecode/binary? What is
> the state of the art at the moment and how do the users of oe/yocto
> solve this requirement.

Not sure if it is the best method, but we include all the license
information in our (readonly) rootfs image by adding 

 COPY_LIC_MANIFEST = "1"
 COPY_LIC_DIRS = "1"

to local.conf. Our UI application then parses /usr/share/common-
licenses/license.manifest show a scrollable list of software with a
short blurb for each like:
"licensed under one or more of the following licence(s): ${SPDX list
from license manifest}"

If the SPDX list contains the text "GPL" (and maybe some others, can't
remember right now), we add "Source code may be downloaded from http://
www.company.com/foss". We upload a monolithic tarball containing all
the GPL code to this site every release. This tarball is generated by
adding:

 INHERIT += "archiver"
 ARCHIVER_MODE[dumpdata] = "1"
 ARCHIVER_MODE[recipe] = "1"

to local.conf, then filtering out the copyleft software with some post-
processing scripts.

Finally, for each package, we add the text from the actual licenses
files for each package (from the directories under /usr/share/common-
licenses/<PACKAGE>/ so that the user can see the full terms.

Not sure if it is the best method, but it works for us. I think it
covers all the license requirements (mainly, attribution and making the
copyleft source available).

> 
> Thanks in advance,
> Christian
> 
> -- 
> [1] https://github.com/FOSSology-SPDX/fossology-spdx
> [2] https://github.com/DoSOCSv2/DoSOCSv2
> [3] https://layers.openembedded.org/layerindex/branch/master/layer/me
> ta-spdxscanner/