Hi Daniel, FOSSology's license scanner, nomos, isn't SPDX license template compliant and it isn't our current intention to make it so. We only match a few signatures (regex's) found in context (rules). So when we say a file is BSD-3, that means that we are pretty confident that is the intended license, but we don't have the confidence that sentence matching like Ninka would give. We could write signatures and rules that implement the SPDX templates but at this time we don't believe that will give us significantly better results and will cost processing time, not to mention effort. Our signatures do take into consideration alternate spellings and extra words don't necessarily throw us off. Of course, this can be a good thing or a bad thing.
Mary's email is trying to get a pulse from fossology users to see if we should give more priority to supporting the SPDX license naming guidelines, add licenses that are currently missing from fossology, and if anyone would like to work on this. An obvious question is why don't we use Ninka in fossology. There are multiple reasons, none of which preclude us from using it in the future, but the big one for us is that we don't have many non-hp contributors. So hp usually gets its way when setting priorities, and nomos is something they are used to and trust. More non-hp contributors would be a good thing for the project but we only have a few and we get surprisingly little feedback given the number of people I've met that use fossology. Bob Gobeille Hewlett Packard Open Source Program Office b...@fossology.org On Jul 22, 2011, at 6:06 PM, D M German wrote: > > > let me start again, I think I made things more complicated they should > be... and I made several mistakes below > > Let us start with a file that is clearly BSD-3. > > What do we output? > > - BSD-3 > - spdxBSD-3. > > Probably spdx-BSD3. > > the problem is, sometimes a file "looks" to our tools like BSD-3, but it > is not according to SPDX. Example: > > ./drivers/net/wimax/i2400m/usb-tx.c > > the file includes > > The sentence that does not match the SPDX version is: > > ---------------------------------------------------------------------- > Neither the name of Intel Corporation nor the names of its > contributors may be used to endorse or promote products derived from > this software without specific prior written permission. > ---------------------------------------------------------------------- > > instead of the SPDX approved sentence: > > ---------------------------------------------------------------------- > Neither the name of the <ORGANIZATION> nor the names of its > contributors may be used to endorse or promote products derived from > this software without specific prior written permission. > ---------------------------------------------------------------------- > > Notice the difference is "the" before <ORGANIZATION>. > > What should we output? > > - BSD-3? > or unknown? > > In Ninka I defined a new license set with the prefix: spdxBSD-3 > > A file can be spdxBSD-3, but not BSD-3. I am not sure that is the best > decision. > > --dmg > > > dmg> If you follow the SPDX discussion you know that I have been looking > dmg> into the implementation of SDPX. > > dmg> one of challenges of new SPDX licenses is that they are subsets of > dmg> what we call licenses. > dmg> i.e. more strict in their text. > > dmg> For instance, in Ninka we allow some variability in some "by > dmg> inclusion" licenses. Like > dmg> British vs American spellings Iin BSD. SPDX does not. > > dmg> So the challenge I had was to allow the more strict SPDX detection, > dmg> while allowing the > dmg> usual detection for those licenses. In other words: > > dmg> I presume something similar would happen to Fossology, where the SPDX > licenses > dmg> would have to be scanned first, and if not-matched, then the more > dmg> traditional licenses > dmg> scanned. > > dmg> So say file contains a British spelling version of a couple of words > dmg> in the BSD-3 clauses. > > dmg> Currently Ninka would output: BSD-3 > > dmg> With SPDX support, what do we output? > > dmg> BSD-3 and spdx-BSD-3? > > dmg> or only BSD-3? > > dmg> alternatively, our license detection could be configured: > > dmg> - for default licenses (output BSD-3) > > dmg> - for spdx support: unknown licence (attach to Appendix) > > dmg> SPDX is going to gives some headaches :) > > dmg> --dmg > > > dmg> For a more concrete example: what would this license be: > > > dmg> Here is an example of the BSD3 (non-spdx): > > dmg> ./drivers/net/wimax/i2400m/usb-tx.c > > dmg> The sentence that does not match the SPDX version is: > > dmg> Neither the name of Intel Corporation nor the names of its > dmg> contributors may be used to endorse or promote products derived from > dmg> this software without specific prior written permission. > > dmg> instead of: > > dmg> Neither the name of the <ORGANIZATION> nor the names of its > dmg> contributors may be used to endorse or promote products derived from > dmg> this software without specific prior written permission. > > > dmg> Here is another example of the BSD3 (non-spdx): > > dmg> ./fs/nfsd/nfs4recover.c > > dmg> This is the sentence that does not match: > > dmg> THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > dmg> WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF > dmg> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > > dmg> instead of: > > dmg> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > dmg> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > dmg> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > dmg> A PARTICULAR PURPOSE ARE DISCLAIMED. > > > dmg> --dmg > > > > dmg> On Fri, Jul 22, 2011 at 4:29 PM, Laser, Mary <mary.la...@hp.com> wrote: >>> >>> >>> Greetings FOSSologists! >>> >>> >>> >>> As you may (or may not) know, The Linux Foundation’s Open Compliance Program >>> has a workgroup dedicated to defining a standardized, adopted format for a >>> software Bill of Materials or Software Package Data eXchange (SPDX). SPDX >>> enables partners in a software supply chain to: >>> >>> · Easily exchange information about what’s in packages and it’s >>> licensing >>> >>> · Avoids rework to identify the info >>> >>> · And, overall, leads to better compliance >>> >>> >>> >>> Here is an excellent video introduction to SPDX (~3.5 minutes long): >>> >>> http://www.linuxfoundation.org/programs/legal/compliance/webinars/introduction-to-spdx >>> >>> >>> >>> So, what does this have to do with FOSSology???? Read on! >>> >>> >>> >>> The current version of FOSSology identifies over 600 licenses. Many of >>> these are registered with SPDX (http://spdx.org/licenses/). However, >>> FOSSology is currently missing 54 licenses from the SPDX list (see >>> attached). >>> >>> We have a long standing enhancement to include all SPDX licenses in >>> FOSSology (item #10 in the unprioritized list, >>> http://fossology.org/task_list#everything_else). This task has previously >>> been prioritized lower than other high visibility enhancements, performance >>> improvements and underlying architectural changes >>> (http://fossology.org/task_list#v_2.0) . >>> >>> >>> >>> With the upcoming Launch of SPDX at LinuxCon (August 17), the time seems >>> ripe to get this done. We are looking for feedback from the FOSSology >>> Community to understand how this should be prioritized against other >>> FOSSOlogy requests and enhancements. We also welcome volunteers who want to >>> help with this effort. Adding a new license requires some familiarity with >>> regular expressions and C programming. There are many examples of current >>> licenses in the nomos code (see STRINGS.in and parse.c ). >>> >>> >>> >>> Please respond with your comments and level of interest to participate in an >>> effort to include all SPDX licenses in FOSSology. >>> >>> >>> >>> Thanks, >>> >>> Mary Laser >>> >>> The FOSSology Project >>> >>> http://fossology.org >>> >>> >>> >>> _______________________________________________ >>> fossology mailing list >>> fossology@fossology.org >>> http://fossology.org/mailman/listinfo/fossology >>> >>> > > > > dmg> -- > dmg> --dmg > > dmg> --- > dmg> Daniel M. German > dmg> http://turingmachine.org > dmg> _______________________________________________ > dmg> fossology mailing list > dmg> fossology@fossology.org > dmg> http://fossology.org/mailman/listinfo/fossology > > > -- > -- > Daniel M. German > http://turingmachine.org/ > http://silvernegative.com/ > dmg (at) uvic (dot) ca > replace (at) with @ and (dot) with . > _______________________________________________ > fossology mailing list > fossology@fossology.org > http://fossology.org/mailman/listinfo/fossology _______________________________________________ fossology mailing list fossology@fossology.org http://fossology.org/mailman/listinfo/fossology
