On Tue, Feb 5, 2019 at 1:30 PM Jeremiah C. Foster <[email protected]> wrote: > If I'm not mistaken, copyright has to be a string because it has to be > legible by humans. This means you can likely grep through source code as > scancode does with a fair degree of confidence and use 'strings' on binaries. > > Using DEP-5 and Debian Copyright files where you can should also be > sufficient for due diligence in most jurisdictions, but I can't point to any > legal precedent as evidence. > > SPDX helps by creating a framework for human and machine readable > documentation of your work, but you'll still need to scan code for copyright. > > Binaries likely require a bit of reverse engineering.
Yes, absolutely. SPDX's set of standard licenses and ids (and scancode's somewhat expanded similar set) are great for stating license info succinctly. scancode is great at collecting the info that should go into the debian copyright file. My goal for this iteration at our licensing process was to automate collection of license info for the shared libraries our binary uses. Here's the pipeline I set up to do that: 1) https://github.com/Oblong/obs/blob/master/ob-filter-licenses reads a DEP-5 (aka Debian copyright) file and filters out any clauses that (most likely) do not propagate to shared library artifacts 2) https://github.com/Oblong/obs/blob/master/ob-parse-licenses reads a Debian copyright file, filters it through ob-filter-licenses, and outputs spdx ids. (For non-DEP-5 copyright files, it uses scancode to guess licenses.) 3) https://github.com/Oblong/obs/blob/master/ob-list-licenses uses ldd to look up shared libraries used by a binary, uses dpkg-query to look up the containing packages, and runs ob-parse-licenses on them. For instance, running "ob-list-licences /bin/login" outputs: libaudit1 https://people.redhat.com/sgrubb/audit/ GPL-2 LGPL-2.1 libc6 https://www.gnu.org/software/libc/libc.html libc6-special libcap-ng0 http://people.redhat.com/sgrubb/libcap-ng GPL-2.0-or-later LGPL-2.1-only GPL-1.0-or-later libpam0g http://www.linux-pam.org/ BSD-3-Clause GPL-1.0-or-later GPL-2.0-only This of course only solves a small part of the license / copyright problem, and only approximately, but it found interesting things for us. - Dan -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1212): https://lists.spdx.org/g/spdx/message/1212 Mute This Topic: https://lists.spdx.org/mt/29655547/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
