Greetings Heinz, On Wed, Sep 7, 2016 at 5:57 AM, <[email protected]> wrote:
> Dear Sir or Madam, > > > > I am working for the AUTOSAR association as one of the FOSS responsibles. > I am investigating about Fossology and SPDX. In that context I would like > to get into contact with you. > > > > · We want to use e.g. Fossology as the tool for analyzing the FOSS > licenses and then exporting it as SPDX file. This is then transferred to a > team dealing with license issues. Do we get a list of all FOSS licenses? > Does it mean that all these licenses are known in SPDX. Is there a mapping > of license information happening? > The SPDX generation capability has been added to FOSSology and can be found in the development version today (3.1 candidate). It is available to be tested and provide feedback on improving it is welcome. FOSSology is able to generate a list of all FOSS licenses that have been detected in the scanned code, and provide a summary in SPDX format (both tag:value & RDF are supported), depending on how you would like to use it. In SPDX tag:value format - if you grep for "“PackageLicenseInfoFromFiles:” in the spdx file, you'll find a summary of all the licenses found in the package analyzed. FOSSology uses the SPDX license identifier in its output. When there is no equivalent license reference in SPDX, FOSSology will generate a "LicenseRef-<insert name>", and put the actual text it discovers in the scanned files in the spdx file that FOSSology generates. > > > · What happens if some parts of the wording in the license are > changed. Is the deviation not recognized, is it highlighted or listed as an > unclassified license? > This depends on the scanners selected to be used: FOSSology has integrated into it 3 different scanners today: Nomos - flexible, looks for keyword matches, hints, etc. Monk - Certainty that known license text and headers is actually found and wording is exactly reproduced Ninka - Another precise license scanner looking for actual license text matches. The time to do the analysis and degree to you which the actual license text matches, is depended on the scanner you choose. In tool interface, the parts of the text that match a scanner are highlighted, so when you look at specific files, you can quickly see why a tool is asserting a match. Please see: https://www.fossology.org/features for some pictures of what this looks like. > > > · Where does the list of licenses that is used in Fossology come > from. In the Fossology documentation the NOMOS list is mentioned ( > http://archive15.fossology.org/attachments/3963/license_list_2.6.0.txt) > Where has the list it origin? And does it go in accordance with the license > list of SPDX? Deviation between SPDX and NOMOS > The list of license keywords and regular expressions used for NOMOS originated when the tool was first created, and has evolved over time. The SPDX license list started 5 years ago, and continues to evolve and update every quarter. There was some work done to analyze the differences between Nomos and SPDX license list a couple of years ago. However in 2015, the FOSSology team did a lot of work to integrate with the SPDX specification and license list into the tool, this is still ongoing work for 3.1 release. In general only Nomos detects a few licenses that aren't part of the SPDX license list, usually its because they are historical artifacts, etc. The bulk of them correspond to those on the SPDX list. > > > · What happens if Fossology finds an unknown list or a commercial > license (http://archive15.fossology.org/projects/fossology/wiki/ > Detection_of_Unclassified_licenses). Are they all classified as > unclassified licenses? > That is my understanding. > What happens if the license body is missing or if no license description > exists for a file? > It shows up as "no license detected". > And is this information about commercial licenses, not known licenses, … > transferred in the SPDX file in case of an export? > Yes. :-) > > > · Quite often I have seen that NOMOS is mentioned. I can’t find > detailed information about NOMOS. What is NOMOS? > Nomos is one of the scanners that can be used by FOSSology (and was one of the original ones), it is very flexible and does keyword and regular expression matching. You can find more of an overview: https://www.fossology.org/features > > > We would like to continue a discussion based on the questions above. Could > you please tell me who will be our contact person. > If you'd like to learn more in person, we will be having a hands-on training session on FOSSology on Friday October 7th in Berlin. Details about the training: http://events.linuxfoundation.org/events/linuxcon-europe/extend-the-experience/training-tutorials In addition please feel free to contact me directly, and I'll work with the FOSSology steering committee members and FOSSology developers to help answer your further questions. Hope this helps, Best Regards, Kate -- Kate Stewart Sr. Director of Strategic Programs, The Linux Foundation Mobile: +1.512.657.3669 Email / Google Talk: [email protected]
_______________________________________________ fossology mailing list [email protected] https://lists.fossology.org/mailman/listinfo/fossology
