Re: SPDX Statistics - Pavel edition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jan 29, 2023 at 11:41 AM Miroslav Suchý <msuchy@xxxxxxxxxx> wrote:
>
> Tip: do you want to audit licenses in your tarball? Unpack the tarball and try:
>
>   dnf install askalono-cli
>
>   askalono crawl /path/to/directory

Regarding askalono: I had not heard of it prior to getting involved in
this whole Fedora initiative around the Callaway->SPDX migration and
the revamped legal documentation. Since then I've used it quite a bit,
mostly for some non-Fedora-related work.

askalono is a easy-to-use tool which is good to reach for in some
situations, but one should be aware of its limitations and
primitiveness. It can't recognize or understand:
* license notices/license texts that are comments in source files (it
specifically looks only for files that are named LICENSE or COPYING or
some obvious variant on those)
* license notices/license texts in README files
* license files that contain multiple license texts (or it will only
recognize the first of them)
* nonstandard/archaic/legacy licenses (which covers most of the
licenses being reviewed in issues in fedora-license-data)

I've found it useful for quick analysis of packages coming out of
ecosystems featuring projects known to have (1) highly standardized
approaches to layout of license information, (2) generally simple
license makeup, and (3) cultural preferences for a highly limited set
of licenses (for example, Rust crates that don't bundle legacy C code,
Golang modules, Node.js npm packages). For things that don't have such
simple characteristics (such as a lot of relatively old, historically
complex Fedora packages) it is probably not going to be too useful for
its "crawl" functionality. And for the task of trying to identify
previously-overlooked or abstracted-away licenses in Fedora packages
it is basically not useful at all.

So: a good tool to have in the toolbox, but its limitations should be
understood, and I don't think it can really be recommended as an audit
tool by itself, given its limitations, even for the kinds of packages
it is relatively useful for.

Richard
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux