Hi Jilayne,
We started out using SPDX license ids very similar to Fedora in our RPM
spec files, around 2017 if i remember correctly. In Cavil we originally
just validated SPDX expressions in spec files and displayed errors with
legal reports, to help our package maintainers with the conversion.
Otherwise we've kept using our own legacy license ids, which have
accumulated over 10+ years of legal reviews.
Full SPDX support is a very recent development, triggered by the need
for standard SBOM documentation in certain industries. Now we've mapped
about half our legacy license ids to SPDX expressions and can generate
SPDX reports in tag:value format from the data. The results are
somewhat comparable to FOSSology, just with a bit more automation.
Right now we have about 60.000 package/version combinations in our
system, with SPDX reports down to file level for each of them.
I don't expect us to ever map all "licenses" to SPDX expressions,
because licensing information in Open Source software tends to be
quite flawed. And we've taken more of a pragmatic approach towards
dealing with it. So we have ids like "Any reference local" for vague
references to a license that cannot be clearly identified, with a
risk assessment based on context. Which can then be considered by a
lawyer with the full legal report.
Regarding a demo, unfortunately i don't have anything prepared right
now. But i'll consider it for the future.
Regards,
Sebastian
On 2023-08-16 17:42, J Lovejoy wrote:
Hi Sebastian,
Thanks for the update! I'm copying the SPDX-legal team as well, as I
think many people there might be interested in this.
I had actually tried to learn more about Cavil a year or so ago - both
from the perspective on my role with SPDX and to see how the license
ids were being used by various project and from the perspective of
Fedora's adoption of SPDX ids. It'd be great to learn more directly!
Would you be willing to do some kind of demo or overview for the
SPDX-legal team?
Thanks,
Jilayne
On 8/16/23 8:21 AM, Sebastian Riedel wrote:
Hello,
Just wanted to let you know about Cavil
(https://github.com/openSUSE/cavil),
our Open Source legal review system. It has recently gained SPDX 2.2
support,
and is probably worth adding to the Open Source Tools list.
Regards,
Sebastian Riedel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#835): https://lists.spdx.org/g/Spdx-outreach/message/835
Mute This Topic: https://lists.spdx.org/mt/100780315/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-outreach/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
