On Tue, Feb 5, 2019 at 5:32 PM Dan Kegel <[email protected]> wrote:
> On Tue, Feb 5, 2019 at 1:30 PM Jeremiah C. Foster <[email protected]>
> wrote:
> > If I'm not mistaken, copyright has to be a string because it has to be
> legible by humans. This means you can likely grep through source code as
> scancode does with a fair degree of confidence and use 'strings' on
> binaries.
> >
> > Using DEP-5 and Debian Copyright files where you can should also be
> sufficient for due diligence in most jurisdictions, but I can't point to
> any legal precedent as evidence.
> >
> > SPDX helps by creating a framework for human and machine readable
> documentation of your work, but you'll still need to scan code for
> copyright.
> >
> > Binaries likely require a bit of reverse engineering.
>
> Yes, absolutely.
>
> SPDX's set of standard licenses and ids (and scancode's somewhat
> expanded similar set) are great for stating license info succinctly.
>
> scancode is great at collecting the info that should go into the
> debian copyright file.
>
> My goal for this iteration at our licensing process was to automate
> collection of license info for the shared libraries our binary uses.
>
Hi Dan,
Am not sure what you're using for a build infrastructure, but there
are some solutions emerging in Yocto that may be relevant, as well
as the other projects that Philippe outlines.
I checked with Richard and he confirms that
" The Yocto Project already builds everything with debug symbols which
get linked and separated into separate packages. It already uses
dwarfsrcfiles to generate a list of source code files which went into
creating a given binary.
The Project also has license information for each software recipe it
builds.
There are some work in progress patches, not quite ready to merge yet
but working which combine these two pieces of information, along with
scanning the source files for SPDX headers to give information about
the possible license a binary may be under."
So if you're using Yocto for your builds, and want to help get with the
development
of this capability available faster, rather than create a stand-alone tool
feel free to
reach out to Richard (on cc).
Thanks, Kate
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1215): https://lists.spdx.org/g/spdx/message/1215
Mute This Topic: https://lists.spdx.org/mt/29655547/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
