From mboxrd@z Thu Jan  1 00:00:00 1970
From: Philippe Ombredanne <pombredanne@nexb.com>
Subject: Re: License auditing
Date: Thu, 4 Aug 2016 20:34:43 +0200
Message-ID: <CAOFm3uFOOXt-nRB9d=jJyirjQi4-m_eVTz16S5P8qsFhPxA6Dw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48826)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVNUZ-00076F-TS
	for guix-devel@gnu.org; Thu, 04 Aug 2016 14:35:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVNUX-0004ue-GZ
	for guix-devel@gnu.org; Thu, 04 Aug 2016 14:35:38 -0400
Received: from mail-it0-x229.google.com ([2607:f8b0:4001:c0b::229]:35483)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVNUX-0004uX-AX
	for guix-devel@gnu.org; Thu, 04 Aug 2016 14:35:37 -0400
Received: by mail-it0-x229.google.com with SMTP id u186so3123803ita.0
	for <guix-devel@gnu.org>; Thu, 04 Aug 2016 11:35:37 -0700 (PDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Wed, 3 Aug 2016 19:55:11 +0200, Danny Milosavljevic wrote:
> See also <https://spdx.org/licenses/> (especially
> <https://github.com/triplecheck/>),
> <http://www.sciencedirect.com/science/article/pii/S0164121216300905> (also
> lists several license checkers; Fossology seems to be a whole webservice which
> does that).

On Wed, 3 Aug 2016 14:05:06 -0400, Leo Famulari wrote:
> There could also be binaries with no source code, some code with a
> unique license, or countless other ways to confuse a license parser.

On Thu, 4 Aug 2016 00:59:52 +0200, David Craven wrote:
> I found a promising package to help with license auditing. It's not
> perfect judging from the bug reports, but it seems pretty nice. It is
> the only option I found which is intended for scripted usage (has a
> nice cli interface). I'll package it tomorrow. Interesting would be to
> write a plugin for guix to see how it's findings compare to the
> licenses declared in guixsd.
> [0]
> https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode/cli.py#L204


Hello guixers!
Scancode maintainer here.
Scancode detects licenses and more and it tries hard not to get
(too) confused by the countless ways licenses are written or mentioned.

It also does not require any specific install beyond a Python
interpreter and runs from the command line and could come
handy there.

There are bugs but I track these actively and fix them eventually.

I am curious if this breaks a few assumptions in Guix or not:
I vendor all third-parties such that a simple tarball has
everything it needs to run except for a Python interpreter.

But this could be eventually broken down in a python package
and several lib deps to package it in Guix.
See also this conversation with David [1]

PS: I am also one of the SPDX co-founders.

I will be glad to help in any modest way I can.

 [1] https://github.com/nexB/scancode-toolkit/issues/288

-- 
Cordially
Philippe Ombredanne