Hi Stephan, the most common source of failed legal reviews I have encountered in my packaging efforts so far are cases where upstream declares the package's license to be X in some meta data, but when you actually look at the distributed LICENSE file or the headers of the code, then it turns out the license is in fact Y. I suppose many people just don't know how to distinguish between BSD2, BSD3, and MIT licenses, and then they put misleading information into their package descriptions. It would be great of a tool could detect those cases, i.e. by scanning all distributed files for well-known license texts in order to *guess* a SPDX identifier. Now, whenever that guess is different from the one declared in the spec file, that should raise a red flag (maybe in the form of a comment on the submit request). It would be particularly nice to have such a tool were available for packagers to run locally before they even submit the request. Best regards, Peter -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org