On Sat, Jan 16, 2010 at 7:53 PM, Jason L Tibbitts III <tibbs@xxxxxxxxxxx> wrote: >>>>>> "LV" == Luis Villa <luis@xxxxxxxxxx> writes: > > LV> I know lack of reviewers is already a serious bottleneck in the > LV> process; would having a separate cadre of license reviewers mean > LV> more delays? > > How could it possibly be so, unless a separate license review was > somehow made a blocker to the process? > That's not what's being > proposed. At worse, nobody would do separate license reviews and the > regular package reviewers would continue as they do now. At best, all > packages would be checked for license issues before the regular package > review happens, and package reviewers can avoid worrying about license > issues. Reality will probably be somewhere in between. Any separate > license review takes work off of the already far overworked package > reviewers; I can't imagine how that could hurt. Ah, I understand better now- you mean this as an alternative; if the license reviewers don't have bandwidth, the regular reviewers would still have it on their plate before the package got submitted? > I don't know how fossology works, but if there's any way I can automate > calling it then I'll be happy to look into it. Currently automation > would be limited to a tool that would pick a ticket which needs license > review, pull down the most recent posted srpm, unpack it and drop you > into a shell to look around, and automatically updating bugzilla. > Plenty of possibility to hang other tools off of that, except that I > don't really know of any that could be run. Fossology is just a pile of scripts (perl maybe? I don't recall) that basically grep the hell out of a package and build licensing data based on what it finds; for large codebases the reports can get fairly elaborate. It has a large library of known license patterns, etc. So it should be able to tell you with fairly high certainty 'this package is licensed under license A, with a smattering of license X, Y and Z.' What I suspect it won't do (and maybe someone should either talk with the fossology folks to confirm) is deal with the cases of bizarre or one-off licenses that seem to be stumbled upon fairly often here. Perhaps they could (or already do) flag files that contain keywords like 'copyright' or 'license' but don't contain a recognized license, for further inspection. (I imagine they also don't have as broad a database of licenses as Fedora does, but that is easier to fix.) If they can be talked into adding that (or someone from fedora can hack it in) then my guess is that it would prove a fairly efficient way to vet packages for licensing conditions. Luis _______________________________________________ legal mailing list legal@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/legal