>> Given that the service you're mentioning is proprietary, I'm not sure >> whether the algorithm is the same as what led to Kate's slide or not.
The concept and algorithm has been openly presented/discussed at several Linux Foundation conferences. We will be publishing a paper in March that presents the concept, the various algorithms explored and experiences we have had using it to vetted 10,000s of open source packages. >> But in any case the keyring upstream maintainer points out that his >> licensing is >> detected at https://pypi.org/project/keyring/ and it seems that the service >> Kate used did not detect it. The concept of publishing a License Quality Grade - LQG (which Kate prefers to call License Coverage Grade) was born from the simple idea that licensing should recorded at the file level. Anything short of that causes lots of problems including software losing its open source status or it's status becomes ambiguous at best. The LQG (or now LCG) solely measures the level of discipline a project (or company) has taken to ensure that a license notice in included in every source file. It is a bad practice to just posted it on a web page. It is for that reason why keyring correctly earned a failing grade. Note that more traditional Foundations like FSF, Apache and Eclipse, as a matter of good practice, included a licensing header in every file. More to come on this topic. - Mark - Mark -----Original Message----- From: Paul Sherwood [mailto:[email protected]] Sent: Saturday, February 18, 2017 8:59 AM To: Gisi, Mark Cc: [email protected] Subject: RE: Getting started... Hi Mark On 2017-02-18 04:54, Gisi, Mark wrote: >>> At Kate's talk [1] (can't find the slides online, btw) she showed a >>> Wind River dashboard which mentioned that the WR scanner >>> (proprietary?) identified keyring as having no license info. > > Wind River has provided a free SPDX creation service for more than > three years including the dashboard view: > http://spdx.windriver.com/pkg_upload.aspx > > We did this to allow one to obtain instance access to the SPDX > creation process to promote the adoption of SPDX. All you need is a > software package and an email address (actually you only need an email > since we provide sample packages as well). We make it so easy that > even your grandmother can create an SPDX file - provide she has an > email account (at least that was a core design principle that guided > us). Given that the service you're mentioning is proprietary, I'm not sure whether the algorithm is the same as what led to Kate's slide or not. But in any case the keyring upstream maintainer points out that his licensing is detected at https://pypi.org/project/keyring/ and it seems that the service Kate used did not detect it. br Paul _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
