Re: Options for metadata license identifiers

Philippe Ombredanne

Hi Richard:

On Thu, Mar 18, 2021, Richard Purdie <richard.purdie@...> wrote:
The worry is something like:

# SPDX-License-Identifier: MIT
LICENSE = "GPLv2 & bzip2-1.0.4"

makes for very confusing reading and can be badly interpreted.
FWIW, I have been involved with quite a few license audits for Yocto-
based products and this is already a source of confusion as it is: in
many cases knowing if a license applies to the recipe or to the package
being built by the recipe is far from obvious.

My first reaction and suggestion would be to forego using SPDX-License-
Identifier in recipes and instead to use a new variable in a recipe for
this such as this:

LICENSE = "GPLv2 & bzip2-1.0.4"

And if you need to have a separate license variable for patches:

This would be explicit, clear and nicely integratable in your tooling
IMHO. Ideally of course you'd want the content of these to be valid SPDX
license expressions. Until then I will have to have a mapping and
special detector for [1] to properly collect normalized SPDX licenses
from recipes.

And FYI while I have your attention:

We are adding support to handle Yocto recipes in ScanCode-toolkit [1]
and [2] for license and origin detection. This involves parsing and
"resolving" recipes which is not trivial without running bitbake. This
is done thanks to Konrad Weihmann (in CC:) who kindly extracted his
excellent linting-focused recipe parser in a separate library [3].


Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! -
AboutCode - Open source for open source -
nexB Inc. -

Join to automatically receive all group messages.