On Mon, 20 May 2019, Thomas Gleixner wrote: > On Mon, 20 May 2019, J Lovejoy wrote: > > > On May 19, 2019, at 10:00 PM, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > > > > > > > > On Sun, 19 May 2019, Allison Randal wrote: > > > > > >> Since the text says "gnu *library* general public license", shouldn't > > >> the SPDX license identifier be LGPL instead of GPL? > > > > > > Well spotted > > > > indeed. is anyone else concerned that the scanner(s) didn’t catch this? > > This is the kind of thing that (I think) would have been > > caught. Considering that we have to rely on the tooling to a certain > > degree (i.e. we can’t possibly look at every file individually), this has > > me a bit worried… > > The problem with the tools is that they need tons of heuristics to cope > with the endless amount of mess. So it's a given that some of the > heuristics are wrong. And people doing it are even more wrong. Just catched another patch on LKML which replaced a very clear and unmodified Version 2 only boilerplate with a GPL-2.0-or-later identifier. I rather stare at the output of those scanner tools :) > I spent quite some time to think about a solution to this and the way I > proposed doing it, e.g. reduce the mess to normalized patterns, allows us > to avoid staring at 20k patch snippets. > > We really need to spot the failures in the patterns, not the actual file > level patches. The patcher itself is going to remove the file level > equivalent of the normalized pattern and add the concluded SPDX identifier > instead. Not more, not less. And that's something machines are actually good at :) But I'm definitely open for suggestions how to approach that differently. Thanks, tglx
