From mboxrd@z Thu Jan  1 00:00:00 1970
From: Philippe Ombredanne <pombredanne@nexb.com>
Subject: Re: License auditing
Date: Thu, 4 Aug 2016 19:41:08 +0200
Message-ID: <CAOFm3uH177X7G6hZ2w+fCTk3cZ1ouSQBH8ScveDNT=caXrbV-g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39207)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVMeW-0003AR-CV
	for guix-devel@gnu.org; Thu, 04 Aug 2016 13:41:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVMeU-00016j-AL
	for guix-devel@gnu.org; Thu, 04 Aug 2016 13:41:51 -0400
Received: from mail-io0-x235.google.com ([2607:f8b0:4001:c06::235]:35100)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pombredanne@nexb.com>) id 1bVMeU-00016Z-4Y
	for guix-devel@gnu.org; Thu, 04 Aug 2016 13:41:50 -0400
Received: by mail-io0-x235.google.com with SMTP id m101so277305701ioi.2
	for <guix-devel@gnu.org>; Thu, 04 Aug 2016 10:41:49 -0700 (PDT)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Wed, 3 Aug 2016 19:55:11 +0200, Danny Milosavljevic wrote:
> See also <https://spdx.org/licenses/> (especially
> <https://github.com/triplecheck/>),
> <http://www.sciencedirect.com/science/article/pii/S0164121216300905> (also
> lists several license checkers; Fossology seems to be a whole webservice which
> does that).

On Wed, 3 Aug 2016 14:05:06 -0400, Leo Famulari wrote:
> There could also be binaries with no source code, some code with a
> unique license, or countless other ways to confuse a license parser.

On Thu, 4 Aug 2016 00:59:52 +0200, David Craven wrote:
> I found a promising package to help with license auditing. It's not
> perfect judging from the bug reports, but it seems pretty nice. It is
> the only option I found which is intended for scripted usage (has a
> nice cli interface). I'll package it tomorrow. Interesting would be to
> write a plugin for guix to see how it's findings compare to the
> licenses declared in guixsd.
> [0]
> https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode/cli.py#L204


Hello guixers!
Scancode maintainer here!
Scancode detects licenses and more and it tries hard not to get
confused by the countless
ways licenses are written or mentioned.

It also does not require any specific install beyond a Python
interpreter and runs
from the command line and could come handy there.

There are bugs but I track these actively and fix them eventually!
I am curious if this breaks a few assumptions in Guix or not.
For instance, I vendor all third-parties such that a simple tarball
has everything it
needs to run except for a Python interpreter. But this could be
eventually borken down
in a python package and several lib deps if you want to go this route in Guix.

PS: I am also one of the SPDX co-founders.

I would be glad to help in any way I can.
-- 
Cordially
Philippe Ombredanne