SPDX and DEP5 Generation

Registered by Rodrigo Belem on 2012-05-08

SPDX and DEP5 Generation

Blueprint information

Status:
Not started
Approver:
Kate Stewart
Priority:
Medium
Drafter:
Rodrigo Belem
Direction:
Approved
Assignee:
Rodrigo Belem
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Deferred
Milestone target:
milestone icon ubuntu-12.10

Related branches

Sprints

Whiteboard

Agenda:
    - discuss plans for evolving and testing prototype

From UDS session:
http://summit.ubuntu.com/uds-q/meeting/20807/other-q-spdx-gen/

Structured license file is the goal.

Kyle: does work for OEM and ODM, copyright file is unstructured.
   Has developed a tool called get-licenses, in lp:ppa.
   Not fully accurate.
   Generates a csv spreadsheet of found licenses
      - run it on current system
      - run it on /usr/doc system and get manifest
      - able to run against precise/main precise/universe...
      - providing spreadsheet to some of customers
   For every release want to be able to publish this.
   DEP5 parser - tell when DEP5 is valid, what is copyrights, why invalid.
   Here are packages, and here are found licenses.
       licenses-simple (packages, short licenses) space delimited.
       license.csv (package, x based on licenses )
   Wrapped in a bunch of scripts -- package and version.
      URL for source package.
      Additional columns get added at end.
  Merge scripts.
  Needed: DEP5 parser, needs to be reviewed against spec and updated.

Rodrigo: Working with supervisor in terms of algorithms being used to find licenses per file. Interested in automatically generating - finding inaccuracies.
Kyle: creating canonistack vm with charm, and generate the spreadsheet for nightly build, and throw away.

Edit source to add more license in Ninka right now,
instead make plugins available. "Best recommended plugin"
SHORTTERM: get open source tools
LONGTERM: which packages are included to satisfy depends license effectively. Increase the distribution of software due to lack of license clarity.
Generate template part - and let folks fill in.
Make it easier for people to do the right thing..
Lintian warning, to error, to non inclusion if license tools show
Tagging of inventory, Jumla XML file, manually put together for each extension.
Process on license and updates, compliancy is low. --> get to goal.
Information around each patch. Extension auditing, patch auditing.
Only way announce patch is through twitter.
Current tools:
 * ninka: https://github.com/dmgerman/ninka
 * fossology: http://www.fossology.org
 * getlicenses: https://launchpad.net/getlicenses.

(?)

Work Items

Work items:
[kyle] inform kate.stewart and rbelem when new version of get-license is pushed. : TODO
[kyle] convert get-license to use SPDX short form names. : TODO
[rbelem] review DEP5 and code for kyle: BLOCKED
[kate.stewart] review DEP5 and code for kyle : BLOCKED
[kate.stewart] connect rbelem with dmg. (papers) : TODO
[rbelem] generate out an SPDX and DEP5 formats, and some sample files.: INPROGRESS
[kate.stewart] connect hamanaka with place to put use cases. : DONE

This blueprint contains Public information 
Everyone can see this information.