Skip to content
Snippets Groups Projects

full REUSE compliance

Merged Alberto Pianon requested to merge ap/reuse2 into kirkstone

Thanks to this tool I created especially for this purpose, I have been able to identify the exact provenance of all third party files included in Oniro (upstream repo, commit, path, branch(es)).

(Upon @mrybczyn 's suggestion, I also implemented the identification of possible upstream updates on such third party files, which can be useful to reflect such updates - especially security updates - in Oniro).

Results may be found in this csv report.

Based on such report, I created a .reuse/dep5 file to reach 100% REUSE compliance and to be able, as a consequence, to automatically generate SPDX SBoM for Oniro with REUSE tool (reuse spdx --output FILE).

Discussion points:

  • @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons?
  • @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved)
  • @cpiana there are three corner cases of upstream commits that have been backported as patches; please check if what I put in the dep5 file, lines 138-164, makes sense
Edited by Alberto Pianon

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Carlo Piana
  • Carlo Piana
  • I've considered the question, I hope I have understood the issue correctly

  • Carlo Piana approved this merge request

    approved this merge request

  • Alberto Pianon resolved all threads

    resolved all threads

  • Alberto Pianon added 1 commit

    added 1 commit

    • 92c074dd - Apply Carlo's suggestion on comments about backported patches' copyright

    Compare with previous version

  • Alberto Pianon changed the description

    changed the description

  • Alberto Pianon changed the description

    changed the description

  • I see how dep5 makes more sense for 3rd party. Besides allowing extra info, it also doesn't touch the upstream files (which is easier to handle when upgrading/dropping). For 1st party, file headers are what I prefer too. The exception is for patch files to avoid breaking the patch format or having to use workarounds in the patch's message.

  • Alberto Pianon added 1 commit

    added 1 commit

    • 029e33c6 - move all 1st party license information from dep5 to .license files

    Compare with previous version

  • Alberto Pianon added 1 commit

    added 1 commit

    • 082ed3cb - update REUSE section of CONTRIBUTING.md

    Compare with previous version

  • Alberto Pianon marked the checklist item @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) as completed

    marked the checklist item @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) as completed

  • Alberto Pianon marked the checklist item @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? as completed

    marked the checklist item @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? as completed

  • Author Developer

    @agherzan @cpiana

    1. I moved all license information about first party files from dep5 to separate .license files (see 029e33c6
    2. I updated CONTRIBUTING.md in order to reflect the updated policy about REUSE compliance (see 082ed3cb)

    Please double-check 1 and review 2, thanks :)

  • Alberto Pianon
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Please register or sign in to reply
    Loading