-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Equalizer Function for license operators #6095
Comments
I guess we have something similar already, however we normalize on current SPDX expressions with operators and non-deprecated license IDs, which may be something different than what you have in mind.
That's basically how it's already done on the ScanCode level: In a raw ScanCode result, licenses and exception are completely independent license finding entries, and actually ORT invests quite some effort to associate such stand-alone exception findings with their belonging license findings in order to produce correct SPDX expressions with the
Indeed. See spdx/spdx-spec#153 which is also somewhat related. |
Thinking about these again:
Point 1 is, strictly speaking when treated as a whole expression, another thing than 2. or 3. as the exception is missing. And between 2. and 3., only 3. is actually a valid SPDX expression. So IMO it's correct that ORT reports it that way. Actually, when working solely with ORT, you should never see 2., so there's also no need to classify that finding, and thus no duplication. Can you shed a light on how you able to see a finding like 2. in ORT? |
Great, so the feature actually exists already. I believe your approach would be the more desirable anyway.
Okay, so we actually only need the 3. notation Going a little off topic here, but we also had trouble with this regarding the
We did not actually get that finding ourselves. We adopted the license classifications from the DoubleOpen project a few months back, as they had more licenses classified and more categories including license properties than the official ort-config repo. It seems like we just need to update our license expressions according to the SPDX expressions and we are good to go. Thanks a lot for the help. |
I believe so, yes.
Could you briefly recap what exactly you're looking for to get fixed?
Exactly 👍🏻 |
Sure. When scanning a repository with This is problematic if you want to create rules for upward compatibility of licenses, which we did. As we now get for example compatibility between The 2 separate findings by ScanCode and subsequently ORT in this case seems to match ScanCode's handling of exceptions, which your |
I currently don't see how / cannot think of a safe heuristic right now. For example, IMO we can't simply say something like "if both GPL-2.0-only and GPL-2.0-or-later were detected in the same line of a file (or very close), always assume it's just GPL-2.0-or-later". Would you have a heuristic in mind? |
What do you use as a heuristic for the exceptions? Would that be the "if both [...] were detected in the same line of a file (or very close)"? Honestly, I don't really see why that would not apply for the GPL's
(see |
Yes.
The problem is that doing this with confidence requires knowledge about how the scanner internally operates. ScanCode is not the only scanner ORT supports, and this code is shared by all scanners. So can we really safely assume that whenever any scanner finds You could have probably convinced me to implement this heuristic only for the case when both licenses are detected in the exact same line. But that seems to not be the case here ( |
I understand. So we would need to investigate the behavior of FossID as well. And provide more conclusive evidence and an accompanying heuristic. I might come back to this, once we find the time to investigate the But for now let's close this issue, as this was off topic anyway and the original feature request is already implemented in ORT. Thanks so much for your time and help. |
Context
I was trying to figure out how exceptions are detected, since double open has licenses listed redundantly in their license classification, which we adopted.
openvpn-openssl-exception
GPL-2.0-with-openvpn-openssl-exception
Since this specific exception is used by OpenVPN, I just scanned their repository.
And the license detected was
GPL-2.0 WITH openvpn-openssl-exception
. Yet another format for one and the same license, which I would need to add to my classifications file and have redundant classification.Feature Request
I propose a license operation equalizer function, which detects
-with-
,WITH
,OR
,or-later
, etc. and brings them into one format, e.g. lowercase with dashes, or whatever you fancy.OR even better split the exception findings from the license.
This way we only need one classification per license and one per exception and can properly detect any combination.
I realize this might be be related to the scancode results. However, they might be limited by the spdx ids.
But maybe it should be implemented in scancode instead? Let me know.
Reproduce
Scan the OpenVPN repo linked above.
You will get something like this:
The text was updated successfully, but these errors were encountered: