al so wrote at 22:05 (PDT) on Thursday: > I thought this tool would aid such review in an automated fashion. But > No. It just detects GPL libs.
Please be careful not to inadvertently troll this list. I am sure you don't mean to do so, but your emails come across a bit as such. I thus decided to de-lurk and reply since -- for posterity purposes -- it's probably useful (if folks later find this thread in archives) to have an email in the thread explaining the nuance of what Fossology can and can't do regarding detecting GPL violations. That's what I do below. Fossology is very valuable tool, and as Ryan Arnold pointed out, it can aid in the important first steps in your understanding of how to comply with licenses when given a codebase that's new to you. There are a *lot* of clauses in the GPL, and the clauses where Fossology helps with compliance are, admittedly, not the ones that are most often violated today. For example, if you have a binary that may have GPL'd code in it (i.e., a straight-up GPLv2§3 / GPLv3§6 violation), I'm not aware of any feature in Fossology that will help you determine that; you need a binary analysis tool. (Personally, I just use 'binwalk' and 'strings' for that situation.) More generally, if you are working backwards from a known-violating binary, Fossology can't *directly* help you figure out the proper complete, Corresponding Source (CCS) that is needed to resolve that violation. CCS release construction, particularly when done in a post hoc fashion, is something only a human can do. But Fossology can *indirectly* assist in those situations. Furthermore, there *are* a class of violations that Fossology can detect quite well. That's why Ryan refers to when saying: On Thu, Apr 19, 2018 at 12:57 PM, Ryan Arnold wrote: >> It will not directly detect violations. It can be used in conjunction to >> identify the presence of GPL and with research and review to see if any >> violation may have taken place. For example, Fossology will do an excellent job finding what are called "license incompatibility violations", such as when you have a codebase that has combined code that says "non-commercial-use only" with GPL'd software. For Conservancy's part, we use Fossology extensively as part of our work enforcing the GPL for Linux, Samba, Debian and other projects (See <https://sfconservancy.org/copyleft-compliance/>). Specifically, when we get a candidate CCS release from a GPL violator, we use Fossology to verify that they haven't introduced license incompatibility violations. We also use Fossology to compare the licensing information from the public upstream project with the sources provided, to be sure that license notices have not been surreptitiously modified. In short, the problem you (and we all) wish Fossology could solve is (more than likely) what's called in computability theory an "undecidable problem" (See <https://en.wikipedia.org/wiki/Undecidable_problem>). So, you hopefully see now why your inquiries look troll-ish. Your comment is akin to posting to the mailing list of a project that does static code analysis complaining that their project doesn't solve the halting problem. ;) -- Bradley M. Kuhn Distinguished Technologist of Software Freedom Conservancy ======================================================================== Become a Conservancy Supporter today: https://sfconservancy.org/supporter _______________________________________________ fossology mailing list fossology@lists.fossology.org https://lists.fossology.org/mailman/listinfo/fossology
