Hello, I have just added the questions and answers to the FAQ, if appropriate:
https://wiki.fossology.org/faq I tried to summarize your answers there because they are (obviously) of general interest. And, I added a screenshots for the highlighting that Oliver has mentioned covering a classic example of a popular license text that was modified. Kind regards, Michael From: fossology-boun...@lists.fossology.org [mailto:fossology-boun...@lists.fossology.org] On Behalf Of Fendt, Oliver Sent: Donnerstag, 8. September 2016 11:44 To: Kate Stewart; heinz.h.hi...@daimler.com Cc: fossol...@fossology.org Subject: Re: [FOSSology] Fossology and SPDX in AUTOSAR Hi Heinz, [Oliver] thank you for contacting us. I am working for the AUTOSAR association as one of the FOSS responsibles. I am investigating about Fossology and SPDX. In that context I would like to get into contact with you. • We want to use e.g. Fossology as the tool for analyzing the FOSS licenses and then exporting it as SPDX file. This is then transferred to a team dealing with license issues. Do we get a list of all FOSS licenses? Does it mean that all these licenses are known in SPDX. Is there a mapping of license information happening? [Oliver] It is great that you intend to use FOSSology for the OSS package license analysis (incl. ecc keyword search and copyright extraction). FOSSology is able to find license relevant text even if it is only a reference to a license, e.g. “for licensing conditions please see: http://exampleproject.org/license.html” This will be classified as “see URL” license. You then have the chance to look at the license of the project and incorporate the license into FOSSology (thus extending the license DB of FOSSology of you instance, of course you can also sent this license text to us and as for inclusion in the next version of FOSSology). When you have identified the license – this will be reflected in the “concluded license tag” of SPDX for that file The SPDX generation capability has been added to FOSSology and can be found in the development version today (3.1 candidate). It is available to be tested and provide feedback on improving it is welcome. FOSSology is able to generate a list of all FOSS licenses that have been detected in the scanned code, and provide a summary in SPDX format (both tag:value & RDF are supported), depending on how you would like to use it. In SPDX tag:value format - if you grep for "“PackageLicenseInfoFromFiles:” in the spdx file, you'll find a summary of all the licenses found in the package analyzed. FOSSology uses the SPDX license identifier in its output. When there is no equivalent license reference in SPDX, FOSSology will generate a "LicenseRef-<insert name>", and put the actual text it discovers in the scanned files in the spdx file that FOSSology generates. • What happens if some parts of the wording in the license are changed. Is the deviation not recognized, is it highlighted or listed as an unclassified license? [Oliver] FOSSology has a very elaborated highlighting mechanism. It highlights modifications, additions and deletions of the Original license text all in different colors, thus it is very easy to identify modifications of license texts This depends on the scanners selected to be used: FOSSology has integrated into it 3 different scanners today: Nomos - flexible, looks for keyword matches, hints, etc. Monk - Certainty that known license text and headers is actually found and wording is exactly reproduced Ninka - Another precise license scanner looking for actual license text matches. The time to do the analysis and degree to you which the actual license text matches, is depended on the scanner you choose. In tool interface, the parts of the text that match a scanner are highlighted, so when you look at specific files, you can quickly see why a tool is asserting a match. Please see: https://www.fossology.org/features for some pictures of what this looks like. • Where does the list of licenses that is used in Fossology come from. In the Fossology documentation the NOMOS list is mentioned (http://archive15.fossology.org/attachments/3963/license_list_2.6.0.txt) Where has the list it origin? And does it go in accordance with the license list of SPDX? Deviation between SPDX and NOMOS [Oliver] the list of licenses comes from the SPDX license list as well as from contributions of found licenses to the FOSSology project (see my comment above, where you have the ability to add licenses to the license DB of FOSSology) The list of license keywords and regular expressions used for NOMOS originated when the tool was first created, and has evolved over time. The SPDX license list started 5 years ago, and continues to evolve and update every quarter. There was some work done to analyze the differences between Nomos and SPDX license list a couple of years ago. However in 2015, the FOSSology team did a lot of work to integrate with the SPDX specification and license list into the tool, this is still ongoing work for 3.1 release. In general only Nomos detects a few licenses that aren't part of the SPDX license list, usually its because they are historical artifacts, etc. The bulk of them correspond to those on the SPDX list. • What happens if Fossology finds an unknown list or a commercial license (http://archive15.fossology.org/projects/fossology/wiki/Detection_of_Unclassified_licenses). Are they all classified as unclassified licenses? That is my understanding. [Oliver] it depends of the keywords matched (it could also be that the commercial license is listed as a reference to URL - than it will be most probably classified as “see URL” (see my comment above) What happens if the license body is missing or if no license description exists for a file? It shows up as "no license detected". And is this information about commercial licenses, not known licenses, … transferred in the SPDX file in case of an export? Yes. :-) • Quite often I have seen that NOMOS is mentioned. I can’t find detailed information about NOMOS. What is NOMOS? Nomos is one of the scanners that can be used by FOSSology (and was one of the original ones), it is very flexible and does keyword and regular expression matching. You can find more of an overview: https://www.fossology.org/features We would like to continue a discussion based on the questions above. Could you please tell me who will be our contact person. If you'd like to learn more in person, we will be having a hands-on training session on FOSSology on Friday October 7th in Berlin. Details about the training: http://events.linuxfoundation.org/events/linuxcon-europe/extend-the-experience/training-tutorials In addition please feel free to contact me directly, and I'll work with the FOSSology steering committee members and FOSSology developers to help answer your further questions. [Oliver] I recommend that you should try to participate in the training Kate mentioned. FOSSology is a very powerful tool and it provides features, which boost efficiency which you should be aware of. Thus a training is the right thing in my opinion. If you will not be able to attend the training Kate mentioned please let me know we will for sure find a way to do a training for you if you are interested Ciao Oliver Hope this helps, Best Regards, Kate -- Kate Stewart Sr. Director of Strategic Programs, The Linux Foundation Mobile: +1.512.657.3669 Email / Google Talk: kstew...@linuxfoundation.org<mailto:kstew...@linuxfoundation.org>
_______________________________________________ fossology mailing list fossology@lists.fossology.org https://lists.fossology.org/mailman/listinfo/fossology