Re: Options for metadata license identifiers
Hi Richard:toggle quoted message Show quoted text
On Thu, Mar 18, 2021, Richard Purdie <richard.purdie@...> wrote:
The worry is something like:FWIW, I have been involved with quite a few license audits for Yocto-
based products and this is already a source of confusion as it is: in
many cases knowing if a license applies to the recipe or to the package
being built by the recipe is far from obvious.
My first reaction and suggestion would be to forego using SPDX-License-
Identifier in recipes and instead to use a new variable in a recipe for
this such as this:
RECIPE_LICENSE = "MIT"
LICENSE = "GPLv2 & bzip2-1.0.4"
And if you need to have a separate license variable for patches:
PATCHES_LICENSE = "MIT"
This would be explicit, clear and nicely integratable in your tooling
IMHO. Ideally of course you'd want the content of these to be valid SPDX
license expressions. Until then I will have to have a mapping and
special detector for  to properly collect normalized SPDX licenses
And FYI while I have your attention:
We are adding support to handle Yocto recipes in ScanCode-toolkit 
and  for license and origin detection. This involves parsing and
"resolving" recipes which is not trivial without running bitbake. This
is done thanks to Konrad Weihmann (in CC:) who kindly extracted his
excellent linting-focused recipe parser in a separate library .
+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! - http://www.dejacode.com
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com