1 |
On Sat, 21 Sep 2019 22:58:03 +0200 |
2 |
Ulrich Mueller <ulm@g.o> wrote: |
3 |
|
4 |
> If the goal of this exercise is to do an audit of ebuilds labelled as |
5 |
> "GPL-2", then a less intrusive approach (which I had already suggested |
6 |
> when this issue had last been discussed) would be to add a comment to |
7 |
> the LICENSE line, either saying "# GPL-2 only" for packages that have |
8 |
> been verified. Or the other way aroung, starting with a comment saying |
9 |
> that it is undecided, which would be removed after an audit. This would |
10 |
> have the advantage not to confuse users, and have no impact on their |
11 |
> ACCEPT_LICENSE settings. (For example, some people exclude AGPL and |
12 |
> would have to add entries for AGPL-3-only.) |
13 |
|
14 |
An adjuct idea: |
15 |
|
16 |
Given things like "License" can get changed by upstream, and is prone |
17 |
to deviating from what we have in the ebuild, and given the only way to |
18 |
automate testing that requires being unable to unpack the archive and |
19 |
grep for various things ... |
20 |
|
21 |
Maybe we instead should be considering a per-package file that |
22 |
indicates some kind of audit trail? |
23 |
|
24 |
< dev-qt/qtwebengine/audit > |
25 |
------------ |
26 |
# audit_ident aduit_param [....] |
27 |
license 2019-09-22 5.12.5 |
28 |
------------ |
29 |
|
30 |
Where for example, the license audit is: |
31 |
|
32 |
@NAME: license |
33 |
@PARAMS: DATE VERSION |
34 |
@DESCRIPTION: |
35 |
Certify a UTC DATE and VERSION used as reference, that you explicitly |
36 |
and intentionally carefully reviewed upstreams sources against |
37 |
the LICENSE field, ensuring you used the appropriate license and |
38 |
combinations, for instance: ensuring you wrote "GPL-2" only when |
39 |
upstreams license clearly omits the "or later" clause, and using |
40 |
"GPL-2+" in where the clause is present. |
41 |
|
42 |
Where you specify the version of the package at the time you carefully |
43 |
audited it last. |
44 |
|
45 |
At least that way, you can automate doing spot checks for license being |
46 |
current and then yell at somebody to re-check it. |
47 |
|
48 |
This seems like a more reliable approach than hoping the right value |
49 |
was used and nothing has changed without anyone noticing in the interim. |
50 |
|
51 |
And this tool could be used to expand the sort of scope of things QA |
52 |
can check for, by ensuring that things that can't be checked |
53 |
automatically, can at least have some sort of record indicating when |
54 |
they were checked last (where git commit log will indicate who |
55 |
performed the check) |
56 |
|
57 |
Though there's lots of bikeshed potential here. |
58 |
|
59 |
Just planting seeds :) |