full REUSE compliance
Thanks to this tool I created especially for this purpose, I have been able to identify the exact provenance of all third party files included in Oniro (upstream repo, commit, path, branch(es)).
(Upon @mrybczyn 's suggestion, I also implemented the identification of possible upstream updates on such third party files, which can be useful to reflect such updates - especially security updates - in Oniro).
Results may be found in this csv report.
Based on such report, I created a .reuse/dep5 file to reach 100% REUSE compliance and to be able, as a consequence, to automatically generate SPDX SBoM for Oniro with REUSE tool (reuse spdx --output FILE).
Discussion points:
-
@agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? -
@agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .licensefiles because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) -
@cpiana there are three corner cases of upstream commits that have been backported as patches; please check if what I put in the dep5 file, lines 138-164, makes sense