| 1 |
On Sat, 21 Sep 2019 22:58:03 +0200 |
| 2 |
Ulrich Mueller <ulm@g.o> wrote: |
| 3 |
|
| 4 |
> If the goal of this exercise is to do an audit of ebuilds labelled as |
| 5 |
> "GPL-2", then a less intrusive approach (which I had already suggested |
| 6 |
> when this issue had last been discussed) would be to add a comment to |
| 7 |
> the LICENSE line, either saying "# GPL-2 only" for packages that have |
| 8 |
> been verified. Or the other way aroung, starting with a comment saying |
| 9 |
> that it is undecided, which would be removed after an audit. This would |
| 10 |
> have the advantage not to confuse users, and have no impact on their |
| 11 |
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and |
| 12 |
> would have to add entries for AGPL-3-only.) |
| 13 |
|
| 14 |
An adjuct idea: |
| 15 |
|
| 16 |
Given things like "License" can get changed by upstream, and is prone |
| 17 |
to deviating from what we have in the ebuild, and given the only way to |
| 18 |
automate testing that requires being unable to unpack the archive and |
| 19 |
grep for various things ... |
| 20 |
|
| 21 |
Maybe we instead should be considering a per-package file that |
| 22 |
indicates some kind of audit trail? |
| 23 |
|
| 24 |
< dev-qt/qtwebengine/audit > |
| 25 |
------------ |
| 26 |
# audit_ident aduit_param [....] |
| 27 |
license 2019-09-22 5.12.5 |
| 28 |
------------ |
| 29 |
|
| 30 |
Where for example, the license audit is: |
| 31 |
|
| 32 |
@NAME: license |
| 33 |
@PARAMS: DATE VERSION |
| 34 |
@DESCRIPTION: |
| 35 |
Certify a UTC DATE and VERSION used as reference, that you explicitly |
| 36 |
and intentionally carefully reviewed upstreams sources against |
| 37 |
the LICENSE field, ensuring you used the appropriate license and |
| 38 |
combinations, for instance: ensuring you wrote "GPL-2" only when |
| 39 |
upstreams license clearly omits the "or later" clause, and using |
| 40 |
"GPL-2+" in where the clause is present. |
| 41 |
|
| 42 |
Where you specify the version of the package at the time you carefully |
| 43 |
audited it last. |
| 44 |
|
| 45 |
At least that way, you can automate doing spot checks for license being |
| 46 |
current and then yell at somebody to re-check it. |
| 47 |
|
| 48 |
This seems like a more reliable approach than hoping the right value |
| 49 |
was used and nothing has changed without anyone noticing in the interim. |
| 50 |
|
| 51 |
And this tool could be used to expand the sort of scope of things QA |
| 52 |
can check for, by ensuring that things that can't be checked |
| 53 |
automatically, can at least have some sort of record indicating when |
| 54 |
they were checked last (where git commit log will indicate who |
| 55 |
performed the check) |
| 56 |
|
| 57 |
Though there's lots of bikeshed potential here. |
| 58 |
|
| 59 |
Just planting seeds :) |
Archives