From: Jan-Simon Moeller <dl9pf@gmx.de>
To: "OE Core (openembedded-core@lists.openembedded.org)"
<openembedded-core@lists.openembedded.org>
Cc: Joshua Watt <jpew.hacker@gmail.com>,
Scott Murray <scott.murray@konsulko.com>
Subject: Re: [OE-core] [PATCH v2] create-spdx: Get SPDX-License-Identifier from source
Date: Tue, 08 Feb 2022 14:19:51 +0100 [thread overview]
Message-ID: <2518421.NRruQZ00Rg@monster> (raw)
In-Reply-To: <dc177cfd-50c2-33e2-bd3c-b33d65ee35@spiteful.org>
Hi all
> > Can you given an overview of what meta-spdxscanner does? I'm not quite
> > clear what extra processing would be required here.
>
> Jan-Simon can talk to it better, as he's done some dev work on the layer
> and done tests with it against AGL (and the subsequent Fossology instance
> experimentation), but AFAIK for the actual scanning scancode-toolkit
> does pattern matching based license detection, so in theory it'll catch
> excerpts of or slightly modified versions of the licenses in its
> database, as opposed to just searching for SPDX-License-Identifier
> declarations. If everyone else is happy with the latter, I'm willing to
> believe I'm offbase in my concerns, but either way I do think the
> limitations are going to need to be documented so users (and their
> lawyers) are aware of them.
TLDR: meta-spdxscanner integrates with scanning tools. Either with fossology
or scancode-tk. An upload to blackduck is also possible meanwhile.
Let's focus on fossology and scancode-tk.
a) fossology
Here we essentially integrate in the task chain and archive the sources after
patching to upload them to a fossology instance. All the scanning/processing
happens then on the server and after some time (a lot ! ;) ) we get a SPDX
report back that we store alongside the package. This is a result of a scan,
so it might catch licenses of files deep in the source tree that may not be
declared in the recipe and so on.
Also, fossology offers then a webinterface for manual inspection and review.
So this is a thorough but quite manual process. More for release work than
daily or occasional stuff.
b) scancode-tk
scancode on the contrary will run on your host during the build and gather the
data. It will write the spdx file out as well.
I think for us the interesting part would be to compare e.g. the scancode-tk
scan from b) with what we have declared in the recipe.
Best,
JS
next prev parent reply other threads:[~2022-02-08 13:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 19:29 [PATCH v2] create-spdx: Get SPDX-License-Identifier from source Saul Wold
2022-02-07 20:33 ` [OE-core] " Scott Murray
2022-02-07 20:35 ` Joshua Watt
2022-02-07 20:59 ` Scott Murray
2022-02-08 12:50 ` Robert Berger
2022-02-08 13:19 ` Jan-Simon Moeller [this message]
2022-02-08 13:35 ` Mikko.Rapeli
2022-02-08 13:56 ` Jan-Simon Moeller
2022-02-08 14:16 ` Joshua Watt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2518421.NRruQZ00Rg@monster \
--to=dl9pf@gmx.de \
--cc=jpew.hacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=scott.murray@konsulko.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.