-
Notifications
You must be signed in to change notification settings - Fork 948
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the user to check FLOSS licenses (SPDX) #3498
Comments
Maybe the should be enough. |
I'm a supporter of keeping the license field generic and open, BUT implement a plugin with the 1.8 new plugin system, probably good idea to integrate with the |
No reason to forbid non-SPDX content in the license field, especially since there will always be non-free and custom licenses. The goal is to:
This bug is about conan exposing the license data so that the check is performed on the user side instead of in conan, as license linting inside conan was found a difficult task. Maybe the plugins will make this easier, but I'm still unsure about what this plugin system really allows. Anyway, exposing package metada in JSON format isn't wasted, as there are other use cases. |
To be more explicit, this is nice for a human that want to checks things:
But something like this would be much easier to parse and automate the checks:
|
Remark: |
For me,
Conan info is able to get this right using a profile. This is without pthreads-win32, using a linux profile:
And this is with the Windows profile (pthreads-win is the penultimate line):
I'm using Conan 1.8.2, but remember this working the same back in 1.7.x or 1.6.x. |
There is now a SPDX checker hook that has already been merged to the conan-io/hooks repository https://github.com/conan-io/hooks#spdx-checker It is still very preliminar but it implements the requested functionality and follows the desired approach for implementation. Please give it a try and report in the hooks issue tracker and we will be more than willing to improve it! 😄 thanks a lot |
This is an enhancement request related to #2342.
SPDX allows to easily identify Free/Libre Open Source Software (FLOSS) licenses by using SPDX identifiers. It make it easy to determine what a licence is at first glance, and is unambiguous.
As you may see, those packages are both using FLOSS licenses, but use a rewording to summarize it, or an URL. This can't be parsed and automated easily. Stating in the docs that packagers should favor SPDX would be easy and a good start. This means they would write in their recipes:
license = 'SPDX-License-Identifier: OpenSSL'
or
license = 'SPDX-License-Identifier: Zlib'
This would pave the way to automatic retrieval of license data (license text) and metadata (OSI approval) using
spdx-lookup
. This means people would be easily able to do some simple licence compatibility checks. This isn't enough to build a Bill Of Materials, as the granularity is at the package level, but that's a start and would be an improvement over the current situation.The license information would then easily be extracted and processed. This would only require changing the
--json
option of theconan info
command to always output JSON (even when used without the--build-order
). A user would then be able to useconan info --json
on a package, filter the information he/she wants from it using jq for example, and perform some checks on licence compatibility, or others.To help us debug your issue please explain:
The text was updated successfully, but these errors were encountered: