This looks interesting, I'll definitely check it out. (Also good to hear about 
the tool HERE uses since it includes dependency checking which can get kinda 
messy in the Java world.)

The only thing I can comment on at the moment is that the name is a bit 
confusing, for two reasons;

1. It doesn't 'check' licenses
2. There is already 'licensecheck' in Debian

The first issue is a little important in the sense that the tool is not 
actually analysing a given license like ninka might. That is to say doing some 
kind of textual analysis to check which license a given license file is. Rather 
the code appears to read files and compare words to a database which helps 
*identify* the license a given file is under, but it doesn't do the more 
complex work of validating the license text itself. While this is no big deal 
(identifying licenses is important work and tools are still needed) it may 
cause a tiny bit of confusion to folks out there looking to ensure that the 
software they're using is licensed under the license listed and sometimes that 
due diligence requires an extra step.

The second issue is likely not a big deal if you're not targeting Debian-based 
systems which has licensecheck and has had that tool for about a decade. 
Written in perl (as is ninka) because of perl's strong text capabilities, it is 
mostly used inside Debian. But Debian and its derivatives are widely used, the 
DEP-5 served as the basis for SPDX, and Debian's license compliance process has 
been around for a couple decades, so you may run into a namespace clash on 
those type of systems.

I don't mean to sound pedantic or discouraging, just thought it might be worth 
it to raise these issues now.



On Fri, 2018-02-09 at 14:11 +1100, Ben Boyter wrote:

Hi All,

Thanks for the feedback before when I was seeking clarification about how to 
generate portions of the SPDX. One of the issues I had with getting SPDX 
adopted was to have a simple tool that would do it can could be hooked into CI 
pipelines and the like So I made one,


I just released version 1.0.0 and would love to get some feedback on it. Its 
written in Go which was a decision I made in order to learn it and because I 
wanted a single binary that was easy to distribute. It works pretty well for 
all of the example projects I have tried and I will be using it on client sites 
where possible.

Spdx-tech mailing list


This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.
Spdx-tech mailing list

Reply via email to