Automated tool for generation and scanning of copying/copyright files

Registered by Gary Ekker on 2011-10-24

Integration of DEP5 and SPDX into our packaging process for the generation of machine readable COPYING or LICENSE files for improved analysis of the licensing and copyright issues when releasing Ubuntu and derivative products.

Blueprint information

Status:
Not started
Approver:
Steve Langasek
Priority:
Undefined
Drafter:
Kate Stewart
Direction:
Needs approval
Assignee:
None
Definition:
Drafting
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Whiteboard

Work Items:
[skaet] connect rbelem with FOSSology: DONE
[rbelem] help FOSSology produce SPDX: TODO
[knitzsche] assess what happens Debian copyright file in FOSSology: TODO
[skaet] follow up to find out if Debian tool to convert SPDX -> DEP5 plans: INPROGRESS
[knitzsche] discuss with PES team whether to commit resources to running an archive scanner: TODO

Discussion from http://summit.ubuntu.com/uds-p/meeting/19600/foundations-p-machine-readable-copyrights/
Transfered on 2011/11/08

* SPDX->DEP5 conversion tools should be created and their use encouraged
 * PES team needs license manifests for their images

 * We want an ongoing archive scan for licensing that spits out SPDX+DEP5 format
 * Fossology, ninka (research) tools are good starting points for doing this.
  * commercial tools can spit out SPDX directly, if PES wants to run these

Option:
 - Buildd - hook up and push out to SPDX? Deploy and bring back out?
 - Build images - scan and produce sidecar files.
 - Feed of new packages in archive provided by Launchpad, so analyzing licenses can be structured so that it happens on each package accept
   Host to run script on. Run anywhere? see archive and trigger - tlaunchpad.

Resources: ? someone on PES team setting up infrastructure.

 License exceptions
 - SSL exception.
 - How it applies to the licenses

* FOSSology doesn't produce SPDX file, but an on-line table; would need to be translated

Fossology in Lintian lab - will it fit with overhead? probably not.
Needs its own server.

Source of information. No modification

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.