On 16.02.2017 11:23, Peter Simons wrote:
Hi Stephan,
the most common source of failed legal reviews I have encountered in my packaging efforts so far are cases where upstream declares the package's license to be X in some meta data, but when you actually look at the distributed LICENSE file or the headers of the code, then it turns out the license is in fact Y. I suppose many people just don't know how to distinguish between BSD2, BSD3, and MIT licenses, and then they put misleading information into their package descriptions.
It would be great of a tool could detect those cases, i.e. by scanning all distributed files for well-known license texts in order to *guess* a SPDX identifier. Now, whenever that guess is different from the one declared in the spec file, that should raise a red flag (maybe in the form of a comment on the submit request). It would be particularly nice to have such a tool were available for packagers to run locally before they even submit the request.
Yeah, it's really strange to me that this area of FOSS didn't drive any combined effort of distributions. Last time I attended FOSDEM, the legal room was full of sad stories :) Debian has a huge bunch of tools you might want to try: https://wiki.debian.org/CopyrightReviewTools Greetings, Stephan -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org