Make simple license mappings more strict #10334
Conversation
| @@ -22,34 +22,8 @@ | |||
| # Sort the entries below via IntelliJ's "Edit" -> "Sort Lines". | |||
| --- | |||
|
|
|||
| # Ambiguous mappings (mapping reason not obvious without additional information) | |||
There was a problem hiding this comment.
As you can see, the new check accurately removes all entries that were already deemed to be ambiguous. Additionally, it removes some entries that probably should have been regarded to be ambiguous in the first place as well.
| @@ -23,41 +23,22 @@ | |||
| --- | |||
|
|
|||
| AFLv2.1: AFL-2.1 | |||
| ALv2: Apache-2.0 | |||
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
sschuberth
force-pushed
the
simple-license-mappings
branch
from
f43a1fa to
b922c7d
Compare
|
@oss-review-toolkit/core-devs I would really like to finally get rid of the ambiguous simple license mappings that we already identified quite some time ago. I have implemented two variants via a check: A lenient and a stricter one. Let's discuss whether we can at least get the lenient check in. To me it's important that the criteria for checking ambiguity are objective and reproducible by tests. |
| @@ -57,6 +57,23 @@ class SpdxSimpleLicenseMappingTest : WordSpec({ | |||
| if (license.id.endsWith("-only")) key should containADigit() | |||
| } | |||
| } | |||
|
|
|||
| "contain equal digits omitting trailing zeros" { | |||
| val exceptions = mapOf( | |||
There was a problem hiding this comment.
There are license IDs which have dates in their identifier, e.g. some LicenseRef-scancode-* licenses.
There may be further cases, where this heuristic fails.
There was a problem hiding this comment.
I'd be fine with adding anything that start with LicenseRef- to the list of exceptions. But we don't have such mappings currently anyway.
| BSD-3: BSD-3-Clause | ||
| BSD2: BSD-2-Clause | ||
| BSD3: BSD-3-Clause | ||
| Bouncy: MIT | ||
| EDL-1.0: BSD-3-Clause | ||
| FreeBSD: BSD-2-Clause-Views | ||
| GPL-2: GPL-2.0-only | ||
| GPL2: GPL-2.0-only |
There was a problem hiding this comment.
I prefer not to remove these entries, but instead separate them.
So, their use can be configured.
There was a problem hiding this comment.
Making simple license mappings configurable is certainly a good idea, but out of scope of this PR. I first like to get the baseline clean.
There was a problem hiding this comment.
Agree with @fviernau we can't remove these declared license mappings - this will cause major service disruption for many ORT users.
There was a problem hiding this comment.
I'm fine with simply dropping this last, stricter commit from the PR. Would that resolve any of your concerns?
There was a problem hiding this comment.
I would propose a splitting out the (not so risky) ambiguous ones and introduce a ambiguousMappingsEnabled configuration option.
There was a problem hiding this comment.
Please, not yet more configuration options 🙄
There was a problem hiding this comment.
I'm dropped top-most commit which removed those entries.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #10334 +/- ##
=========================================
Coverage 56.75% 56.75%
+ Complexity 1644 1642 -2
=========================================
Files 337 337
Lines 12480 12480
Branches 1177 1177
=========================================
Hits 7083 7083
Misses 4945 4945
Partials 452 452
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| BSD-3: BSD-3-Clause | ||
| BSD2: BSD-2-Clause | ||
| BSD3: BSD-3-Clause | ||
| Bouncy: MIT | ||
| EDL-1.0: BSD-3-Clause | ||
| FreeBSD: BSD-2-Clause-Views | ||
| GPL-2: GPL-2.0-only | ||
| GPL2: GPL-2.0-only |
There was a problem hiding this comment.
Agree with @fviernau we can't remove these declared license mappings - this will cause major service disruption for many ORT users.
This comment was marked as resolved.
This comment was marked as resolved.
sschuberth
force-pushed
the
simple-license-mappings
branch
2 times, most recently
from
17fdde3 to
2958258
Compare
sschuberth
force-pushed
the
simple-license-mappings
branch
4 times, most recently
from
13b24d6 to
ddbbfbc
Compare
|
Consider adding information about the breaking change to the commit message and how users can deal with it. |
sschuberth
force-pushed
the
simple-license-mappings
branch
from
ddbbfbc to
ba1a9bf
Compare
I've reworded the commit message. Can we now please move forward with this @oss-review-toolkit/tsc? |
sschuberth
force-pushed
the
simple-license-mappings
branch
from
ba1a9bf to
ba41a24
Compare
…gits In order to remove the already identified ambiguous mappings, stricten the check to require matching digits (disregarding trailing zeros) in keys and values for each mapping. This logic works for all ambiguous mappings except for `ALv2: Apache-2.0`, which is now accepted as being non-ambiguous because "2.0" is reduced to "2" which matches the digit in the key. Additionally, this logic identified 12 previously "Non-ambiguous mappings" to be in fact ambiguous because they have no or too little indication of a version. BREAKING CHANGE: Users who rely on the previous mappings need to create package curations with respective `declaredLicenseMapping`s. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth
force-pushed
the
simple-license-mappings
branch
from
ba41a24 to
89ebd75
Compare
Please have a look at the individual commit messages for the details.