Suggestions on improvements


Meh Mbeh Ida Delphine
 

Hello everyone, 

I'm trying to improve the Yocto Project's license tracing based on a proof-of concept implementation of linking sources with SPDX headers to output files by Richard at http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=rpurdie/license-experiments-osls.

The code in package.bbclass creates a list of SPDX headers found for the sources that make up a given set of binaries that make up an individual package using debug symbols to map sources to the binaries. This is then compared with the license field of the given package containing those binaries.

Due to some mismatches, warnings pop up during the build. Below are some few sample warnings and I'm aware of false positives;

WARNING: glibc-2.32-r0 do_package: License for package nscd is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package sln is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package ldconfig is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package glibc is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package glibc-staticdev is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: libcap-ng-0.8-r0 do_package: License for package libcap-ng is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2+ & LGPLv2.1+
WARNING: libtirpc-1.2.6-r0 do_package: License for package libtirpc is {'GPL-2.0 WITH Linux-syscall-note'} vs BSD-3-Clause
WARNING: ptest-runner-2.4.0+gitAUTOINC+834670317b-r0 do_package: License for package ptest-runner is {'GPL-2.0-or-later'} vs GPLv2+
WARNING: libcap-2.44-r0 do_package: License for package libcap is {'GPL-2.0 WITH Linux-syscall-note'} vs BSD | GPLv2
WARNING: libcap-2.44-r0 do_package: License for package libcap-staticdev is {'GPL-2.0 WITH Linux-syscall-note'} vs BSD | GPLv2
WARNING: openssl-1.1.1h-r0 do_package: License for package openssl-engines is {'GPL-2.0 WITH Linux-syscall-note', 'GPL-2.0+ WITH Linux-syscall-note'} vs openssl

Any suggestions on improvements I can make to this functionality?

Cheers,
Ida.


Robert Berger
 

Hi,

On 08/01/2021 04:59, Meh Mbeh Ida Delphine wrote:

Due to some mismatches, warnings pop up during the build. Below are some
few sample warnings and I'm aware of false positives;
Why do you think they are false positives?


WARNING: glibc-2.32-r0 do_package: License for package nscd is {'GPL-2.0
WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
Check this file:

FileName: ./spdx_temp/git/.pc/0026-inject-file-assembly-directives.patch/sysdeps/aarch64/crti.S
FileChecksum: SHA1: 83c9d68d2f83ca0af8af2a918533f21004aac238
LicenseConcluded: NOASSERTION
LicenseInfoInFile: LGPL-2.1-or-later
LicenseInfoInFile: LicenseRef-scancode-unlimited-linking-exception-lgpl
FileCopyrightText: <text>Copyright (c) 1995-2020 Free Software Foundation, Inc.
</text>


I play around with meta-spdxscanner and if you run e.g. scancode-toolkit it tells you:

FileName: ./spdx_temp/git/nscd/cache.c
FileChecksum: SHA1: ecec99d5427b03fe5c390f5fd78274a2a7c625e7
LicenseConcluded: NOASSERTION
LicenseInfoInFile: GPL-3.0-or-later
FileCopyrightText: <text>Copyright (c) 1998-2020 Free Software Foundation, Inc.
</text>

;)

Which comes from:

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published
by the Free Software Foundation; version 2 of the License, or
(at your option) any later version.

So once someone determines what's the real license, I guess packages could be licensed accordingly ;)

LICENSE_glibc-xxx = "GPLv3+"

is it? Bring in the lawyers.

WARNING: glibc-2.32-r0 do_package: License for package sln is {'GPL-2.0
WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package ldconfig is
{'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package glibc is
{'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: glibc-2.32-r0 do_package: License for package glibc-staticdev
is {'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2 & LGPLv2.1
WARNING: libcap-ng-0.8-r0 do_package: License for package libcap-ng is
{'GPL-2.0 WITH Linux-syscall-note'} vs GPLv2+ & LGPLv2.1+> WARNING:
libtirpc-1.2.6-r0 do_package: License for package libtirpc is
{'GPL-2.0 WITH Linux-syscall-note'} vs BSD-3-Clause
WARNING: ptest-runner-2.4.0+gitAUTOINC+834670317b-r0 do_package: License
for package ptest-runner is {'GPL-2.0-or-later'} vs GPLv2+
I assume GPLv2+ is supposed to mean GPL-2.0-or-later.
One fix would be to put in the LICENSE field of ptest-runnner GPL-2.0-or-later instead of GPLv2+. Another fix could be to add the mapping between GPLv2+ and GPL-2.0-or-later.

WARNING: libcap-2.44-r0 do_package: License for package libcap is
{'GPL-2.0 WITH Linux-syscall-note'} vs BSD | GPLv2> WARNING:
libcap-2.44-r0 do_package: License for package libcap-staticdev
is {'GPL-2.0 WITH Linux-syscall-note'} vs BSD | GPLv2
WARNING: openssl-1.1.1h-r0 do_package: License for package
openssl-engines is {'GPL-2.0 WITH Linux-syscall-note', 'GPL-2.0+ WITH
Linux-syscall-note'} vs openssl
Any suggestions on improvements I can make to this functionality?
Cheers,
Ida.
Regards,

Robert