Allow the user to check FLOSS licenses (SPDX)

[liberforce]

This is an enhancement request related to #2342.

SPDX allows to easily identify Free/Libre Open Source Software (FLOSS) licenses by using SPDX identifiers. It make it easy to determine what a licence is at first glance, and is unambiguous.

$ conan info -r conan-center OpenSSL/1.0.2o@conan/stable
OpenSSL/1.0.2o@conan/stable
    ID: b4a53e1a9dd2de8a832beed316bba53600bc01b9
    BuildID: None
    Remote: conan-center=https://conan.bintray.com
    URL: http://github.com/lasote/conan-openssl
    License: The current OpenSSL licence is an 'Apache style' license: https://www.openssl.org/source/license.html
    Recipe: Cache
    Binary: Missing
    Binary remote: conan-center
    Creation date: 2018-08-27 09:12:47
    Required by:
        PROJECT
    Requires:
        zlib/1.2.11@conan/stable
zlib/1.2.11@conan/stable
    ID: 755fc07adbed235a7d3eadec4b6882d4912f09bc
    BuildID: None
    Remote: conan-center=https://conan.bintray.com
    URL: http://github.com/lasote/conan-zlib
    License: http://www.zlib.net/zlib_license.html
    Recipe: Cache
    Binary: Download
    Binary remote: conan-center
    Creation date: 2018-08-30 15:46:32
    Required by:
        OpenSSL/1.0.2o@conan/stable

As you may see, those packages are both using FLOSS licenses, but use a rewording to summarize it, or an URL. This can't be parsed and automated easily. Stating in the docs that packagers should favor SPDX would be easy and a good start. This means they would write in their recipes:

license = 'SPDX-License-Identifier: OpenSSL'
or
license = 'SPDX-License-Identifier: Zlib'

This would pave the way to automatic retrieval of license data (license text) and metadata (OSI approval) using spdx-lookup. This means people would be easily able to do some simple licence compatibility checks. This isn't enough to build a Bill Of Materials, as the granularity is at the package level, but that's a start and would be an improvement over the current situation.

The license information would then easily be extracted and processed. This would only require changing the --json option of the conan info command to always output JSON (even when used without the --build-order). A user would then be able to use conan info --json on a package, filter the information he/she wants from it using jq for example, and perform some checks on licence compatibility, or others.

To help us debug your issue please explain:

• I've read the CONTRIBUTING guide.
• I've specified the Conan version, operating system version and any tool that can be relevant.
• I've explained the steps to reproduce the error or the motivation/use case of the question/suggestion.

[liberforce]

Maybe the SPDX-License-Identifier: isn't required as it doesn't make that more readable. Searching if the whole string matches a known SPDX license identifier should be enough, so:
license = 'OpenSSL'
or
license = 'Zlib'

should be enough.

[lasote]

I'm a supporter of keeping the license field generic and open, BUT implement a plugin with the 1.8 new plugin system, probably good idea to integrate with the conan-center pack, to perform the SPDX check.

[liberforce]

No reason to forbid non-SPDX content in the license field, especially since there will always be non-free and custom licenses. The goal is to:

• encourage use of SPDX (which many people are not aware of) when relevant
• allow those that do use SPDX to perform the checks out of conan

This bug is about conan exposing the license data so that the check is performed on the user side instead of in conan, as license linting inside conan was found a difficult task. Maybe the plugins will make this easier, but I'm still unsure about what this plugin system really allows. Anyway, exposing package metada in JSON format isn't wasted, as there are other use cases.

[liberforce]

To be more explicit, this is nice for a human that want to checks things:

$conan info --profile ci/conan/profiles/linux64-gcc4 OpenSSL/1.1.0g@conan/stable -n license
OpenSSL/1.1.0g@conan/stable
    License: The current OpenSSL licence is an 'Apache style' license: https://www.openssl.org/source/license.html
zlib/1.2.11@conan/stable
    License: http://www.zlib.net/zlib_license.html

But something like this would be much easier to parse and automate the checks:

$ conan info --profile ci/conan/profiles/linux64-gcc4 OpenSSL/1.1.0g@conan/stable --json
[
  {
    "name": "OpenSSL",
    "version": "1.1.0g",
    "user": "conan",
    "channel": "stable",
    "license": "OpenSSL"
  },
  {
    "name": ""zlib",
    "version": "1.2.11",
    "user": "conan",
    "channel": "stable",
    "license": "Zlib"
  }
]

[Aalmann]

Remark: conan info currently does not respect settings nor profiles. You can test it by using --paths in combination with build_type combinations and then check the package_folder output and content.

[liberforce]

@Aalmann

For me, conan info respects the settings passed on the command line as well as profiles.
I have a project that has in its conanfile:

    def requirements(self):
        if self.settings.os == 'Windows':
            self.requires('pthreads-win32/2.9.1@sbre/testing')

Conan info is able to get this right using a profile. This is without pthreads-win32, using a linux profile:

conan info -n requires --profile ci/conan/profiles/linux64-gcc4 libqi/1.6.0@sbre/testing
boost/1.64.0@sbre/testing requirement zlib/1.2.11@conan/stable overridden by libqi/1.6.0@sbre/testing to zlib/1.2.8@conan/stable 
OpenSSL/1.1.0g@conan/stable requirement zlib/1.2.11@conan/stable overridden by libqi/1.6.0@sbre/testing to zlib/1.2.8@conan/stable 
OpenSSL/1.1.0g@conan/stable
    Requires:
        zlib/1.2.8@conan/stable
boost/1.64.0@sbre/testing
    Requires:
        bzip2/1.0.6@conan/stable
        zlib/1.2.8@conan/stable
bzip2/1.0.6@conan/stable
gtest/1.8.0@bincrafters/stable
libqi/1.6.0@sbre/testing
    Requires:
        boost/1.64.0@sbre/testing
        gtest/1.8.0@bincrafters/stable
        OpenSSL/1.1.0g@conan/stable
        zlib/1.2.8@conan/stable
zlib/1.2.8@conan/stable

And this is with the Windows profile (pthreads-win is the penultimate line):

conan info -n requires --profile ci/conan/profiles/win64-vs2017 libqi/1.6.0@sbre/testing
boost/1.64.0@sbre/testing requirement zlib/1.2.11@conan/stable overridden by libqi/1.6.0@sbre/testing to zlib/1.2.8@conan/stable 
OpenSSL/1.1.0g@conan/stable requirement zlib/1.2.11@conan/stable overridden by libqi/1.6.0@sbre/testing to zlib/1.2.8@conan/stable 
Downloading conaninfo.txt
[==================================================] 438B/438B        
Downloading conaninfo.txt

Downloading conaninfo.txt
[==================================================] 512B/512B        
Downloading conaninfo.txt
[==================================================] 466B/466B        
Downloading conaninfo.txt
[==================================================] 480B/480B        
OpenSSL/1.1.0g@conan/stable
    Requires:
        zlib/1.2.8@conan/stable
boost/1.64.0@sbre/testing
    Requires:
        bzip2/1.0.6@conan/stable
        zlib/1.2.8@conan/stable
bzip2/1.0.6@conan/stable
gtest/1.8.0@bincrafters/stable
libqi/1.6.0@sbre/testing
    Requires:
        boost/1.64.0@sbre/testing
        gtest/1.8.0@bincrafters/stable
        OpenSSL/1.1.0g@conan/stable
        zlib/1.2.8@conan/stable
        pthreads-win32/2.9.1@sbre/testing
pthreads-win32/2.9.1@sbre/testing
zlib/1.2.8@conan/stable

I'm using Conan 1.8.2, but remember this working the same back in 1.7.x or 1.6.x.

[danimtb]

There is now a SPDX checker hook that has already been merged to the conan-io/hooks repository https://github.com/conan-io/hooks#spdx-checker

It is still very preliminar but it implements the requested functionality and follows the desired approach for implementation.

Please give it a try and report in the hooks issue tracker and we will be more than willing to improve it! 😄 thanks a lot