Strict license validation of all incoming packages
Open, HighPublic

Description

I want full verification of all incoming packages that they're suitable for inclusion now:

  • All license fields MUST be SPDX compliant records
  • All licenses in the package must be accounted for
  • Missing/incorrect license will NOT be permitted - this must be corrected before package.yml goes in the repos

ARs for Ikey:

  • Create simplistic license validation tool to scan the tarballs and document all license fields.
  • Perform repository-wide validation
  • Create new Conformance tag
ikey claimed this task.Aug 19 2017, 1:45 PM
ikey added a subscriber: ikey.
Herald removed ikey as the assignee of this task. · View Herald TranscriptAug 19 2017, 1:45 PM
ikey edited the task description. (Show Details)Aug 19 2017, 1:48 PM
ikey edited projects, added Platform Integration; removed Lacks Project.
ikey edited the task description. (Show Details)
ikey added a project: Conformance.
ikey triaged this task as "High" priority.Aug 19 2017, 1:54 PM
ikey raised the priority of this task from "High" to "Unbreak Now!".Aug 19 2017, 2:01 PM
ikey claimed this task.

Still you'll need to handle some exceptions for things like the nvidia proprietary drivers.

ikey added a comment.Aug 20 2017, 10:51 AM

@kyrios123 yeah. Perhaps a static set like EULA-NVIDIA

As4fN1v removed a subscriber: As4fN1v.

@ikey I found a weird case with expect

Here is the full content of the license file:

Expect

Written by: Don Libes, libes at nist.gov, NIST

Design and implementation of this program was paid for by U.S. tax
dollars. Therefore it is public domain. However, the author and NIST
would appreciate credit if this program or parts of it are used.

ikey added a comment.Sep 2 2017, 6:13 PM

That is super cranky.

ikey lowered the priority of this task from "Unbreak Now!" to "High".Sep 11 2017, 2:36 PM

OK I'm downing this to high for now because $ongoingShit