On Mon, 20 May 2019, J Lovejoy wrote: > > On May 19, 2019, at 10:00 PM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > > > > > On Sun, 19 May 2019, Allison Randal wrote: > > > >> Since the text says "gnu *library* general public license", shouldn't > >> the SPDX license identifier be LGPL instead of GPL? > > > > Well spotted > > indeed. is anyone else concerned that the scanner(s) didn’t catch this? > This is the kind of thing that (I think) would have been > caught. Considering that we have to rely on the tooling to a certain > degree (i.e. we can’t possibly look at every file individually), this has > me a bit worried… The problem with the tools is that they need tons of heuristics to cope with the endless amount of mess. So it's a given that some of the heuristics are wrong. I spent quite some time to think about a solution to this and the way I proposed doing it, e.g. reduce the mess to normalized patterns, allows us to avoid staring at 20k patch snippets. We really need to spot the failures in the patterns, not the actual file level patches. The patcher itself is going to remove the file level equivalent of the normalized pattern and add the concluded SPDX identifier instead. Not more, not less. If the tools would be perfect we would not need to look at any of these things ... Thanks, tglx
