full REUSE compliance
Thanks to this tool I created especially for this purpose, I have been able to identify the exact provenance of all third party files included in Oniro (upstream repo, commit, path, branch(es)).
(Upon @mrybczyn 's suggestion, I also implemented the identification of possible upstream updates on such third party files, which can be useful to reflect such updates - especially security updates - in Oniro).
Results may be found in this csv report.
Based on such report, I created a .reuse/dep5
file to reach 100% REUSE compliance and to be able, as a consequence, to automatically generate SPDX SBoM for Oniro with REUSE tool (reuse spdx --output FILE
).
Discussion points:
-
@agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? -
@agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license
files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) -
@cpiana there are three corner cases of upstream commits that have been backported as patches; please check if what I put in the dep5 file, lines 138-164, makes sense
Merge request reports
Activity
changed milestone to %goofy general availability
- Resolved by Alberto Pianon
- Resolved by Alberto Pianon
- Resolved by Alberto Pianon
- Resolved by Alberto Pianon
added 1 commit
- 92c074dd - Apply Carlo's suggestion on comments about backported patches' copyright
I see how dep5 makes more sense for 3rd party. Besides allowing extra info, it also doesn't touch the upstream files (which is easier to handle when upgrading/dropping). For 1st party, file headers are what I prefer too. The exception is for
patch
files to avoid breaking the patch format or having to use workarounds in the patch's message.added 1 commit
- 029e33c6 - move all 1st party license information from dep5 to .license files
marked the checklist item @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate
.license
files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) as completedmarked the checklist item @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? as completed
- Resolved by Alberto Pianon