<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Following on from the previous email, I've put together a basic
license-checker in python and tested it in a CI Pipeline. I'd be
very interested to get feedback on the html and json output.</p>
In particular I'd be interested to get opinions about how to
implement the blacklist: we're planning to design the license
checker with a blacklist option, where users can supply a list of
blacklisted licenses (possibly as regular expressions). If any
blacklisted licenses are detected, these would be reported in the
html and json outputs, but I'm not sure what form that ought to
take.<br>
<p>------------<br>
</p>
<ul>
<li>Sample html output is here:
<a class="moz-txt-link-freetext" href="https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/701539612/artifacts/file/buildstream_license_checker_output/url_manifest/license_check_summary.html">https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/701539612/artifacts/file/buildstream_license_checker_output/url_manifest/license_check_summary.html</a></li>
<li>And Sample json output is here:
<a class="moz-txt-link-freetext" href="https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/701539612/artifacts/file/buildstream_license_checker_output/url_manifest/license_check_summary.json">https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/jobs/701539612/artifacts/file/buildstream_license_checker_output/url_manifest/license_check_summary.json</a></li>
<li>The Pipeline is here:
<a class="moz-txt-link-freetext" href="https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/pipelines/181505791">https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/pipelines/181505791</a></li>
<li>And there's an MR here:
<a class="moz-txt-link-freetext" href="https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/3293">https://gitlab.com/freedesktop-sdk/freedesktop-sdk/-/merge_requests/3293</a></li>
</ul>
(Note that the MR is still very very much a WIP).
<p><br>
</p>
<div class="moz-cite-prefix">On 14/08/2020 09:27, Douglas Winship
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e8305214-e392-aeba-0a0e-136939e2989b@codethink.co.uk">Hi
all.
<br>
<br>
<br>
We're looking to develop a basic license-checking script for
buildstream
<br>
projects, and would appreciate some input, either input on the
tool in general,
<br>
or input on whether it would be useful for freedesktop-sdk.
<br>
<br>
The the user would invoke the script with one line, and the basic
process would be:
<br>
<br>
* User supplies one or more elements to check
<br>
* User also supplies a '--deps' argument (none, run, or all)
<br>
* Script invokes bst-show to get a list of relevant dependency
elements
<br>
* Script checks out the source code for each dependency into a
temporary directory
<br>
* Script runs license-checking software on the source code,
producing a detailed
<br>
output (one output file per dependency element)
<br>
* Script takes the raw outputs, and condenses it into a summary.
<br>
(A machine-readable summary, a human-readable summary, or one
each.)
<br>
<br>
The current plan is to use licensecheck, as the actual
license-checking software
<br>
(<a class="moz-txt-link-freetext" href="https://metacpan.org/pod/distribution/App-Licensecheck/bin/licensecheck">https://metacpan.org/pod/distribution/App-Licensecheck/bin/licensecheck</a>)
<br>
(<a class="moz-txt-link-freetext" href="https://packages.debian.org/buster/licensecheck">https://packages.debian.org/buster/licensecheck</a>)
<br>
<br>
licensecheck produces output lines for each file in the source
code, like this:
<br>
...
<br>
./crypto/algif_hash.c: UNKNOWN
<br>
./crypto/algif_rng.c: BSD (3 clause) GPL
<br>
./crypto/algif_skcipher.c: UNKNOWN
<br>
./crypto/ansi_cprng.c: UNKNOWN
<br>
./crypto/anubis.c: GPL (v2 or later)
<br>
./crypto/api.c: UNKNOWN
<br>
...
<br>
<br>
The script would then summarize the data into a single summary
file, which
<br>
would summarize all of the dependencies (summary would be either
<br>
machine-readable, human-readable, or one of each, according to
<br>
user-specified arguments).
<br>
<br>
The summary format is tbd, but the logical structure of the
summary would
<br>
look like:
<br>
....
<br>
- dependency_name: bootstrap/sed.bst
<br>
dependency_fullkey:
e52cee70287646e712c427accd3ef9ec533380ae7265177350c58cc3457f10b1
<br>
licensecheck_output:
<br>
- BSD (4 clause)
<br>
- FSF All Permissive
<br>
- GPL
<br>
- GPL (v2 or later)
<br>
- GPL (v3)
<br>
- GPL (v3 or later)
<br>
- ISC GPL (v3 or later)
<br>
- MIT/X11 (BSD like)
<br>
- *No copyright* BSL
<br>
<br>
- dependency_name: bootstrap/stripper.bst
<br>
dependency_fullkey:
f2993d8c833ee3aae118c6b2c96d6e7f4dc0cac2947cb0467835f5b288f01175
<br>
licensecheck_output:
<br>
- MIT/X11 (BSD like)
<br>
...
<br>
<br>
(Note, I've used YAML here as an example, because it's more
readable for the
<br>
purposes of this email, but json may be preferable for the actual
output.)
<br>
<br>
QUESTIONS:
<br>
<br>
A) Would this script be useful for freedesktop-sdk?
<br>
B) Would this script be useful in CI?
<br>
C) What sort of format would be good for the machine-readable
summary? json? YAML?
<br>
D) What sort of format would be good for the human-readable
summary? markdown? html?
<br>
E) What would be a more useful output for freedesktop-sdk: just
the summaries?
<br>
or should we also include the raw licensecheck output?
<br>
<br>
_______________________________________________
<br>
Freedesktop-sdk mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freedesktop-sdk@lists.freedesktop.org">Freedesktop-sdk@lists.freedesktop.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.freedesktop.org/mailman/listinfo/freedesktop-sdk">https://lists.freedesktop.org/mailman/listinfo/freedesktop-sdk</a>
<br>
</blockquote>
</body>
</html>