https://wiki.osselot.org/api.php?action=feedcontributions&feedformat=atom&user=CkresseOSSelot - User contributions [en]2026-05-18T06:56:04ZUser contributionsMediaWiki 1.40.0https://wiki.osselot.org/index.php?title=Curation_guideline&diff=259Curation guideline2026-03-23T07:43:00Z<p>Ckresse: Adapt to consider new FOSSology version and Github actions</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* Set line break to 80 characters for license texts (please note: Not for the entire SPDX file, as this will break checksums and render an invalid SPDX report)<br />
* Remove empty lines. <br />
<br />
* Only required for FOSSology versions 4.2 or lower:<br />
** For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
** For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* (Not required for FOSSology versions 4.3 or higher) If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: In cases where more than two licenses are involved, manual post-processing is required. Remove "LicenseRef-Dual-license" and correct AND operator to the correct SPDX license expression (e.g. LicenseA AND LicenseB AND LicenseC AND LicenseRef-Dual-license → (LicenseA OR LicenseB) AND LicenseC). Be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document. See patch in [[FOSSology#Customization]]. From FOSSology 4.6 and higher, this is included when selecting the report setting "Enable OSSelot export" for the SPDX report.<br />
<br />
The SPDX tag:value file should be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools], however, the report will also be validated on merge into the Github repository. The conversion to spdx.json, spdx.rdf.xml, spdx.yaml formats will also be automatically done at merge.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=FOSSology&diff=229FOSSology2024-01-19T10:21:43Z<p>Ckresse: /* Customization */ : Add note on patch offset</p>
<hr />
<div>==Installation==<br />
The Fossology software can be downloaded from the [https://www.fossology.org/ project's home page].<br />
==Manual addition of [[Scancode]]==<br />
In addition to the default installation, the [[Scancode]] Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.<br />
<br />
== Customization ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation (version 4.1.0.95), the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:<syntaxhighlight lang="diff"><br />
Index: fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig<br />
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
@@ -21,7 +21,7 @@<br />
<rdfs:comment><br />
This document was created using license information and a generator from Fossology.<br />
</rdfs:comment><br />
- {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+ {% for licenseId,licenseData in licenseTexts %}<br />
<spdx:hasExtractedLicensingInfo><br />
{% if licenseId starts with 'LicenseRef-' %}<br />
<spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}"><br />
@@ -36,7 +36,7 @@<br />
]]></spdx:extractedText><br />
</spdx:ExtractedLicensingInfo><br />
</spdx:hasExtractedLicensingInfo><br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
{{ packageNodes|replace({'\n':'\n '}) }}<br />
</spdx:SpdxDocument><br />
</rdf:RDF><br />
<br />
Index: fossology/spdx2/agent/template/spdx2tv-document.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig<br />
+++ fossology/spdx2/agent/template/spdx2tv-document.twig<br />
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6<br />
## License Information<br />
##-------------------------<br />
<br />
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+{% for licenseId,licenseData in licenseTexts %}<br />
LicenseID: {{ licenseId|replace({' ': '-'}) }}<br />
LicenseName: {{ licenseData['name'] }}<br />
ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})<br />
|replace({'\f':''}) }} </text><br />
<br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
</syntaxhighlight><br />
<br />
For newer Fossology versions, there might be a slight offset when applying the patch.<br />
<br />
==Community server==<br />
The reference community FOSSology server <i>[https://fossy.osadl.org Fossy]</i> is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the <i>Fossy</i> server after they successfully underwent <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> curators' training.<br />
<br />
==Basic workflow==<br />
The basic workflow for clearing a package with Fossology is given on the [https://www.fossology.org/get-started/basic-workflow/ Fossology project page].</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=228Curation guideline2024-01-09T11:10:47Z<p>Ckresse: /* Post-processing */ : Layout hints</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* Set line break to 80 characters.<br />
* Remove empty lines. <br />
<br />
* Only required for FOSSology versions 4.2 or lower:<br />
** For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
** For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* (Not required for FOSSology versions 4.3 or higher) If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR). For only two licenses, this is not required for FOSSology versions 4.3 or higher, but for three or more licenses, manual editing is still necessary.<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document. See patch in [[FOSSology#Customization]].<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=227Curation guideline2024-01-09T10:14:55Z<p>Ckresse: /* SPDX tag:value report */ : Fix wikilink to patch</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
(Not required for FOSSology versions 4.3 or higher.)<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* (Not required for FOSSology versions 4.3 or higher) If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR). For only two licenses, this is not required for FOSSology versions 4.3 or higher, but for three or more licenses, manual editing is still necessary.<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document. See patch in [[FOSSology#Customization]].<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=FOSSology&diff=226FOSSology2024-01-09T10:12:11Z<p>Ckresse: /* Customization */: Remove anchor</p>
<hr />
<div>==Installation==<br />
The Fossology software can be downloaded from the [https://www.fossology.org/ project's home page].<br />
==Manual addition of [[Scancode]]==<br />
In addition to the default installation, the [[Scancode]] Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.<br />
<br />
== Customization ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation, the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:<syntaxhighlight lang="diff"><br />
Index: fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig<br />
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
@@ -21,7 +21,7 @@<br />
<rdfs:comment><br />
This document was created using license information and a generator from Fossology.<br />
</rdfs:comment><br />
- {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+ {% for licenseId,licenseData in licenseTexts %}<br />
<spdx:hasExtractedLicensingInfo><br />
{% if licenseId starts with 'LicenseRef-' %}<br />
<spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}"><br />
@@ -36,7 +36,7 @@<br />
]]></spdx:extractedText><br />
</spdx:ExtractedLicensingInfo><br />
</spdx:hasExtractedLicensingInfo><br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
{{ packageNodes|replace({'\n':'\n '}) }}<br />
</spdx:SpdxDocument><br />
</rdf:RDF><br />
<br />
Index: fossology/spdx2/agent/template/spdx2tv-document.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig<br />
+++ fossology/spdx2/agent/template/spdx2tv-document.twig<br />
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6<br />
## License Information<br />
##-------------------------<br />
<br />
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+{% for licenseId,licenseData in licenseTexts %}<br />
LicenseID: {{ licenseId|replace({' ': '-'}) }}<br />
LicenseName: {{ licenseData['name'] }}<br />
ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})<br />
|replace({'\f':''}) }} </text><br />
<br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
</syntaxhighlight><br />
<br />
==Community server==<br />
The reference community FOSSology server <i>[https://fossy.osadl.org Fossy]</i> is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the <i>Fossy</i> server after they successfully underwent <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> curators' training.<br />
<br />
==Basic workflow==<br />
The basic workflow for clearing a package with Fossology is given on the [https://www.fossology.org/get-started/basic-workflow/ Fossology project page].</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=225Curation guideline2024-01-09T10:09:50Z<p>Ckresse: /* SPDX tag:value report */: Add version variants</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
(Not required for FOSSology versions 4.3 or higher.)<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* (Not required for FOSSology versions 4.3 or higher) If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR). For only two licenses, this is not required for FOSSology versions 4.3 or higher, but for three or more licenses, manual editing is still necessary.<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document. See patch in [[fossypatch|FOSSology:Customization]].<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=FOSSology&diff=224FOSSology2024-01-09T10:08:22Z<p>Ckresse: Add anchor to /* Customization */</p>
<hr />
<div>==Installation==<br />
The Fossology software can be downloaded from the [https://www.fossology.org/ project's home page].<br />
==Manual addition of [[Scancode]]==<br />
In addition to the default installation, the [[Scancode]] Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.<br />
<br />
== <div id="fossypatch">Customization</div> ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation, the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:<syntaxhighlight lang="diff"><br />
Index: fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig<br />
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
@@ -21,7 +21,7 @@<br />
<rdfs:comment><br />
This document was created using license information and a generator from Fossology.<br />
</rdfs:comment><br />
- {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+ {% for licenseId,licenseData in licenseTexts %}<br />
<spdx:hasExtractedLicensingInfo><br />
{% if licenseId starts with 'LicenseRef-' %}<br />
<spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}"><br />
@@ -36,7 +36,7 @@<br />
]]></spdx:extractedText><br />
</spdx:ExtractedLicensingInfo><br />
</spdx:hasExtractedLicensingInfo><br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
{{ packageNodes|replace({'\n':'\n '}) }}<br />
</spdx:SpdxDocument><br />
</rdf:RDF><br />
<br />
Index: fossology/spdx2/agent/template/spdx2tv-document.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig<br />
+++ fossology/spdx2/agent/template/spdx2tv-document.twig<br />
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6<br />
## License Information<br />
##-------------------------<br />
<br />
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+{% for licenseId,licenseData in licenseTexts %}<br />
LicenseID: {{ licenseId|replace({' ': '-'}) }}<br />
LicenseName: {{ licenseData['name'] }}<br />
ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})<br />
|replace({'\f':''}) }} </text><br />
<br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
</syntaxhighlight><br />
<br />
==Community server==<br />
The reference community FOSSology server <i>[https://fossy.osadl.org Fossy]</i> is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the <i>Fossy</i> server after they successfully underwent <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> curators' training.<br />
<br />
==Basic workflow==<br />
The basic workflow for clearing a package with Fossology is given on the [https://www.fossology.org/get-started/basic-workflow/ Fossology project page].</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=223Curation guideline2024-01-09T09:59:25Z<p>Ckresse: Version update</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
(Not required for FOSSology versions 4.3 or higher.)<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document.<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=222Curation guideline2023-11-06T10:43:15Z<p>Ckresse: /* SPDX tag:value report */</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">OSSelot</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
* As the SPDX standard does not contain template license texts but the OSSelot variant does, we need to add the prefix "LicenseRef-" to all license IDs that do not yet carry it to obtain a valid SPDX document.<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=FOSSology&diff=166FOSSology2023-09-19T07:32:08Z<p>Ckresse: Add link to basic workflow</p>
<hr />
<div>==Installation==<br />
The Fossology software can be downloaded from the [https://www.fossology.org/ project's home page].<br />
==Manual addition of [[Scancode]]==<br />
In addition to the default installation, the [[Scancode]] Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.<br />
<br />
== Customization ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation, the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:<syntaxhighlight lang="diff"><br />
Index: fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig<br />
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
@@ -21,7 +21,7 @@<br />
<rdfs:comment><br />
This document was created using license information and a generator from Fossology.<br />
</rdfs:comment><br />
- {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+ {% for licenseId,licenseData in licenseTexts %}<br />
<spdx:hasExtractedLicensingInfo><br />
{% if licenseId starts with 'LicenseRef-' %}<br />
<spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}"><br />
@@ -36,7 +36,7 @@<br />
]]></spdx:extractedText><br />
</spdx:ExtractedLicensingInfo><br />
</spdx:hasExtractedLicensingInfo><br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
{{ packageNodes|replace({'\n':'\n '}) }}<br />
</spdx:SpdxDocument><br />
</rdf:RDF><br />
<br />
Index: fossology/spdx2/agent/template/spdx2tv-document.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig<br />
+++ fossology/spdx2/agent/template/spdx2tv-document.twig<br />
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6<br />
## License Information<br />
##-------------------------<br />
<br />
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+{% for licenseId,licenseData in licenseTexts %}<br />
LicenseID: {{ licenseId|replace({' ': '-'}) }}<br />
LicenseName: {{ licenseData['name'] }}<br />
ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})<br />
|replace({'\f':''}) }} </text><br />
<br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
</syntaxhighlight><br />
<br />
==Community server==<br />
The reference community FOSSology server <i>[https://fossy.osadl.org Fossy]</i> is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the <i>Fossy</i> server after they successfully underwent <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> curators' training.<br />
<br />
==Basic workflow==<br />
The basic workflow for clearing a package with Fossology is given on the [https://www.fossology.org/get-started/basic-workflow/ Fossology project page].</div>Ckressehttps://wiki.osselot.org/index.php?title=Scancode&diff=165Scancode2023-09-14T15:07:42Z<p>Ckresse: Add Osselot conventions</p>
<hr />
<div>==Installation==<br />
The Scancode toolkit can be downloaded from the [https://github.com/nexB/scancode-toolkit/releases/latest related Github repository]. The landing page of the company behind Scancode is [https://www.nexb.com/scancode/ here].<br />
==Documentation==<br />
Online documentation of the Scancode toolkit is available [https://scancode-toolkit.readthedocs.io/en/stable/ here].<br />
==Scancode conventions of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project ==<br />
Default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=164Curation guideline2023-09-14T15:07:15Z<p>Ckresse: </p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text -json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=Main_Page&diff=161Main Page2023-08-03T08:57:17Z<p>Ckresse: Add "SPDX2TV template" introduction</p>
<hr />
<div>__NOTOC__<br />
== Welcome to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Wiki! ==<br />
<br />
This Wiki was created to facilitate day-to-day work with the resources of the [https://www.osselot.org <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project], especially when accessing them in batch mode, e.g. as part of a software release build.<br />
<br />
==[[Search]] for a package==<br />
[[Search|Find out]] whether a particular version of a software package is supported by <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> and has already been curated. A particular Web script is provided for this purpose, and an interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Disclosure_files|disclosure files]]==<br />
A shell script is provided to encapsulate the [[Search|Web search script]] and obtain the related disclosure files. Another interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Licenses|licensing information]]== <br />
Another Web script is available that also encapsulates the internal algorithm of the [[Search|Web search script]], but then generates a list of licenses that are used in a given software package. The script accepts as argument either a package name or a package name along with a version. In the former case the licenses of all available versions are listed, whereas in the latter the output is restricted to the specified version.<br />
<br />
==Obtain curation data in various format using a [[REST]] interface== <br />
The entire curation data of a software package can be retrieved in [[JSON]] format, curation data of a particular version can be retrieved in [[RDF-XML]], [[SPDX2TV]] or [[YAML]] format.<br />
<br />
==Reuse existing material in case of version mismatch==<br />
If a particular version of a software package has not been curated before, but another one that may be close to it has, then FOSSology's reuse feature can be applied. Details are given in the presentation and video material on the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> home page: Please check out [https://www.osselot.org/index.php?s=presentations "Use case 2" at the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> presentations].<br />
<br />
==Contributing to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project==<br />
How to contribute to the project if a package that is not yet included with <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> has been externally curated? Contributions are greatly appreciated, and therefore we would like to encourage as many users as possible to contribute. The more versions of more packages that are curated, the more beneficial the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project will be. However, to maintain confidence in the material, a rigorous vetting process was instituted. Volunteers are asked to first contact the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Officer via [mailto:office@osadl.org?subject=OSSelot-volunteer email]. The easiest next step is then probably to arrange a video conference, get to know each other, and understand the basic principles of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> curation process. From that moment, new software packages can be curated and provided in the fork tree. The maintainer will then review the newly provided curation data in close collaboration with the contributor, and once the review is successful, the new curation data will be included and made publicly available through the repository. The contributor's and reviewer's names will be indicated in the README file of the package.<br />
<br />
==Best practices==<br />
====[[Curation guideline|How to curate data]]====<br />
High-quality curation data are the cornerstone of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project. To ensure that this quality is maintained, every contribution is thoroughly reviewed and only curators with sufficient expertise in FOSS licensing contribute to the database. A [[curation guideline]] on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project is given here to ensure consistency.<br />
<br />
==== [[SPDX2TV template]] ====<br />
To avoid misunderstandings when exchanging SPDX files, an SPDX tag:value template is given [[SPDX2TV template|here]]. This shows which tags are used in the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project and how they are interpreted.<br />
<br />
====[[FOSSology]]====<br />
In order to use the [[FOSSology]] Open Source curation administration tool in connection with the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project (when re-using the data and also when contributing to the project), a number of conventions should be observed.<br />
====[[Scancode]]====<br />
Normally, the [[Scancode]] Open Source scanning tool is used under the control of [[FOSSology]] in this project; however, to fine-tune or confirm the results it may be necessary to run the tool separately from command line. If this is done, the command line options should match the conventions of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project.</div>Ckressehttps://wiki.osselot.org/index.php?title=SPDX2TV_template&diff=160SPDX2TV template2023-08-03T08:52:21Z<p>Ckresse: Add SPDX2TV template</p>
<hr />
<div><syntaxhighlight lang="text"><br />
SPDXVersion: SPDX-2.2<br />
DataLicense: CC0-1.0<br />
<br />
##-------------------------<br />
## Document Information<br />
##-------------------------<br />
<br />
DocumentNamespace: URL (NOT USED)<br />
DocumentName: /srv/fossology/repository/report (NOT USED)<br />
SPDXID: SPDXRef-DOCUMENT (NOT USED)<br />
<br />
##-------------------------<br />
## Creation Information<br />
##-------------------------<br />
<br />
Creator: Tool: spdx2<br />
Creator: Person: NAME OF CREATOR<br />
CreatorComment: <text><br />
This document was created using license information and a generator from Fossology.<br />
It contains the license and copyright analysis of PACKAGE<br />
Please check "LicenseComments" for explanations of concluded licenses.<br />
</text><br />
Created: DATE<br />
LicenseListVersion: 2.6<br />
<br />
##-------------------------<br />
## Package Information<br />
##-------------------------<br />
<br />
<br />
PackageName: PACKAGE NAME<br />
PackageFileName: PACKAGE FILE NAME<br />
SPDXID: SPDXRef-upload[NUMBER] (NOT USED)<br />
PackageDownloadLocation: NOASSERTION (NOT USED)<br />
PackageVerificationCode: VERIFICATION CODE (NOT USED)<br />
PackageChecksum: SHA1: CHECKSUM<br />
PackageChecksum: SHA256: CHECKSUM<br />
PackageChecksum: MD5: CHECKSUM<br />
PackageLicenseConcluded: NOASSERTION (NOT USED)<br />
PackageLicenseDeclared: MAIN LICENSE AS GIVEN IN LICENSE / COPYING FILE IN ROOT DIRECTORY IF APPLICABLE<br />
PackageLicenseComments: <text> licenseInfoInFile determined by Scanners:<br />
- nomos ("4.1.0.95".82b3b2)<br />
- monk ("4.1.0.95".82b3b2)<br />
- ojo ("4.1.0.95".82b3b2) </text><br />
PackageLicenseInfoFromFiles: NOASSERTION (NOT USED)<br />
PackageCopyrightText: AUTHORS OF THANKS OR AUTHORS FILE IF APPLICABLE<br />
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-upload[NUMBER]<br />
<br />
<br />
##--------------------------<br />
## File Information<br />
##--------------------------<br />
<br />
##File<br />
<br />
FileName: FULL PATH OF FILE<br />
SPDXID: SPDXRef-item[NUMBER]<br />
FileChecksum: SHA1: CHECKSUM<br />
FileChecksum: SHA256: CHECKSUM<br />
FileChecksum: MD5: CHECKSUM<br />
LicenseConcluded: CURATED LICENSE ID<br />
LicenseComments: <text>EXPLANATION OF DECISION IF APPLICABLE</text><br />
LicenseInfoInFile: SCANNER RESULT<br />
FileCopyrightText: <text> COPYRIGHT NOTICE </text><br />
<br />
<br />
##-------------------------<br />
## License Information<br />
##-------------------------<br />
<br />
LicenseID: LICENSE ID<br />
LicenseName: LICENSE NAME<br />
ExtractedText: <text> LICENSE TEXT </text><br />
</syntaxhighlight></div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=159Curation guideline2023-08-03T08:50:11Z<p>Ckresse: Add "Contribution" and "Contact" sections.</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text –json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.json, spdx.rdf.xml, spdx.yaml formats.<br />
<br />
== Contribution ==<br />
The contribution of a newly curated package must contain the following artifacts:<br />
* README with download URL, purl, creator name<br />
* OSS disclosure file<br />
* SPDX tag:value file<br />
* SPDX json file<br />
* SPDX rdf.xml file<br />
* SPDX yaml file<br />
<br />
To contribute, the repository [https://github.com/Open-Source-Compliance/package-analysis https://github.com/Open-Source-Compliance/package-analysis] must be forked and a pull request must be created.<br />
* The Contribution must be licensed under CC0-1.0.<br />
* The pull request must contain a "Signed-off-by: [Name] <Email>" statement to indicate acceptance of the [https://github.com/Open-Source-Compliance/package-analysis/blob/main/CONTRIBUTING.md Certificate of Origin].<br />
* The contribution will be reviewed. If changes are required, we kindly ask the contributor to be persistent and resubmit the reworked contribution. When it is accepted, the artifacts will be published.<br />
<br />
== Contact ==<br />
Please direct any questions or remarks to [mailto:info@osselot.org info@osselot.org]. We will be happy to help.</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=158Curation guideline2023-08-03T08:40:50Z<p>Ckresse: Add "Report export and post-processing" section</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text –json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).<br />
<br />
== Report export and post-processing ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given.<br />
* '''fossy:''' In order to achieve this while ensuring the SPDX file can be valid, we have patched our [[FOSSology|Fossology]] installation to add the "LicenseRef-" prefix to all license identifiers. For details, see the article on [[FOSSology|Fossology]].<br />
<br />
=== Export reports ===<br />
When all license information and copyright statements of the entire package are curated, the result is exported as SPDX tag:value and OSS Disclosure files.<br />
* '''fossy:''' The [[FOSSology|Fossology]] settings for report generation must be changed for every new package. Go to ''Conf → SPDX Report Settings'', select "Show SPDX license comments" and submit the change.<br />
* '''fossy:''' Export SPDX tag:value report.<br />
* '''fossy:''' Export ReadMe_OSS (OSS disclosure report).<br />
<br />
=== Post-processing ===<br />
Some post-processing operations on the SPDX tag:value and the OSS disclosure reports are required. At least some of these operations can be easily scripted.<br />
* Rename files to fit naming convention<br />
** SPDX tag:value report: [package name]-[version number]-SPDX2TV.spdx, e.g. angular-15.1.0-SPDX2TV.spdx.<br />
** OSS disclosure file: [package name]-[version number]-OSS-disclosure.txt, e.g. angular-15.1.0-OSS-disclosure.txt.<br />
<br />
==== Both reports ====<br />
* For "or later" license references, replace "+" with "-or-later", e.g. GPL-2.0+ → GPL-2.0-or-later.<br />
* For GNU licenses without "or later" extension, add "-only", e.g. GPL-2.0 → GPL-2.0-only.<br />
==== OSS disclosure report ====<br />
* Remove headings "Main license" and "Other licenses", and replace by heading "Licenses".<br />
==== SPDX tag:value report ====<br />
To see how the SPDX tag:value file is generally used in <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> have a look at the [[SPDX2TV template|SPDX2TV template]].<br />
<br />
The following tags must be edited:<br />
* ''Creator: Person:'' [name of creator]<br />
* ''CreatorComment:'' <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of [package]. Please check "LicenseComments" for explanations of concluded licenses.</text><br />
* ''PackageLicenseConcluded:'' NOASSERTION<br />
* If main license is not a template license text, add correct customized license reference to ''PackageLicenseDeclared''.<br />
* Dual licensing conclusions: Remove "LicenseRef-Dual-license" and correct AND operator to OR (e.g. LicenseA AND LicenseB AND LicenseRef-Dual-license → LicenseA OR LicenseB). If there is dual licensing and multiple licenses, be aware of the SPDX operator hierarchy (default order of precedence: WITH, AND, OR).<br />
<br />
The SPDX tag:value file must be validated either with the [https://tools.spdx.org/app/ SPDX online tools] or with the [https://github.com/spdx/tools-java CLI tools]. When the SPDX tag:value file is valid, convert to spdx.rdf.xml, spdx.json, spdx.yaml formats.</div>Ckressehttps://wiki.osselot.org/index.php?title=FOSSology&diff=157FOSSology2023-08-03T08:02:56Z<p>Ckresse: Add License-Ref patch</p>
<hr />
<div>==Installation==<br />
The Fossology software can be downloaded from the [https://www.fossology.org/ project's home page].<br />
==Manual addition of [[Scancode]]==<br />
In addition to the default installation, the [[Scancode]] Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.<br />
<br />
== Customization ==<br />
In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the [https://spdx.org/licenses SPDX License List] are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the [https://spdx.org/licenses SPDX License List] do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation, the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:<syntaxhighlight lang="diff"><br />
Index: fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig<br />
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig<br />
@@ -21,7 +21,7 @@<br />
<rdfs:comment><br />
This document was created using license information and a generator from Fossology.<br />
</rdfs:comment><br />
- {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+ {% for licenseId,licenseData in licenseTexts %}<br />
<spdx:hasExtractedLicensingInfo><br />
{% if licenseId starts with 'LicenseRef-' %}<br />
<spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}"><br />
@@ -36,7 +36,7 @@<br />
]]></spdx:extractedText><br />
</spdx:ExtractedLicensingInfo><br />
</spdx:hasExtractedLicensingInfo><br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
{{ packageNodes|replace({'\n':'\n '}) }}<br />
</spdx:SpdxDocument><br />
</rdf:RDF><br />
<br />
Index: fossology/spdx2/agent/template/spdx2tv-document.twig<br />
===================================================================<br />
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig<br />
+++ fossology/spdx2/agent/template/spdx2tv-document.twig<br />
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6<br />
## License Information<br />
##-------------------------<br />
<br />
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}<br />
+{% for licenseId,licenseData in licenseTexts %}<br />
LicenseID: {{ licenseId|replace({' ': '-'}) }}<br />
LicenseName: {{ licenseData['name'] }}<br />
ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})<br />
|replace({'\f':''}) }} </text><br />
<br />
-{% endif %}{% endfor %}<br />
+{% endfor %}<br />
</syntaxhighlight><br />
<br />
==Community server==<br />
The reference community FOSSology server <i>[https://fossy.osadl.org Fossy]</i> is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the <i>Fossy</i> server after they successfully underwent <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> curators' training.</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=156Curation guideline2023-08-03T07:50:23Z<p>Ckresse: Complete section "Data curation" - part 2</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the OSSelot project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text –json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is:<br/>"[Quote licensing information in the source code file]"<br/>[Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is:<br/>"This file is GPL'd."<br/>As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is:<br/>"This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>."<br/>The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.<br />
<br />
=== '''fossy:''' Bulk statements ===<br />
In [[FOSSology|Fossology]], scanner findings can be confirmed, removed or corrected with bulk statements.<br />
* When doing so, it is crucial to start with the shorter bulk statements as these can be part of a longer bulk statement which would then be modified by running the short bulk statement after the long one. For example (abbreviated):<blockquote>Short bulk statement: "This file is licensed under GPL version 2.0."<br/>Long bulk statement: "This file is licensed under GPL version 2.0. As a special exception, you may..."</blockquote> Here, the short bulk statement will modify the findings for the file with the long bulk statement. It should therefore be run first so that afterwards, the long bulk statement can correct the conclusion for the relevant files.<br />
* Do not limit the scope of bulk statements, rather choose unique bulk statements. When reusing bulk statements for future uploads, the initial scope is not preserved, but they are applied to the entire upload, so it might yield false results.<br />
<br />
=== Curating copyright statements ===<br />
* Remove findings that were incorrectly identified as a copyright statement (e.g. license texts, code, etc.).<br />
* Remove content from copyright statements that is not part of the copyright notice (e.g. formatting signs, license notices, comments on content, code, etc.).<br />
* If the source code tree contains an AUTHORS file, the content of this is given as value to the SPDX tag ''PackageCopyrightText'' in the post-processing stage (see section “Post-processing” below).<br />
<br />
=== Package license ===<br />
Only If there is a LICENSE or COPYING or similar file in the root directory that states a main license for the package, we give this information as value to the SPDX tag ''PackageLicenseDeclared''.<br />
* '''fossy:''' In [[FOSSology|Fossology]], this is marked as the "main license" by activating the star symbol. Caution: If the main license is a custom text, [[FOSSology|Fossology]] takes the standard template text anyway. This has to be corrected manually in the post-processing stage (see section “Post-processing” below).</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=155Curation guideline2023-08-03T07:33:50Z<p>Ckresse: Add section "Data curation" - part 1</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the OSSelot project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
== Preparation ==<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text –json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
== Data curation ==<br />
* A licensing expert reviews and analyzes the scanning results.<br />
* [[FOSSology|Fossology]] can directly be used to review the results. The [[Scancode]] results must be reviewed with an external tool, e.g. [https://github.com/opossum-tool/opossumUI Opossum].<br />
* Review is done on file level, i.e. every file in the source code tree for which at least one scanner found a result is analyzed.<br />
** '''fossy:''' In [[FOSSology|Fossology]], you can browse through the relevant files by selecting "Go through all files with licenses and no clearing result".<br />
* That means:<br />
** scanner findings are confirmed, or<br />
** scanner findings are corrected.<br />
* If there are no findings for a file, the conclusion is NO ASSERTION (for SPDX tag ''LicenseConcluded'').<br />
** '''fossy:''' In [[FOSSology|Fossology]], this is given by the clearing decision types "No license known" or "Irrelevant" or "Non-functional".<br />
<br />
=== ''LicenseComments'' ===<br />
In case a license conclusion is not obvious, the decision is explained.<br />
* This is done with the following heuristic:<blockquote>The information in the file is: "[Quote licensing information in the source code file]" [Give reason for conclusion] Therefore, [license] is concluded.</blockquote><br />
* Example 1: No version<blockquote>The information in the file is: "This file is GPL'd." As no version of the GPL is given, GPL-1.0-or-later is concluded.</blockquote><br />
* Example 2: URL for license text<blockquote>The information in the file is: "This file is licensed under License A. You can find the license text at <nowiki>https://www.LicenseTextOfLicenseA.com</nowiki>." The URL contains the license text of License A, therefore License A is concluded. The information was retrieved on [date].</blockquote><br />
* '''fossy:''' In Fossology, the explanations are given in the "Comment" section which maps to the SPDX tag ''LicenseComments''.<br />
<br />
=== Correcting scanner findings ===<br />
The following list includes typical cases where scanner findings have to be corrected and how to do so.<br />
<br />
==== Not a license ====<br />
The scanner concludes a license from an expression in a file that is not actually a license expression at all. In this case, the incorrect license finding is removed.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the source of the scanner finding is highlighted when clicking on the number (#1) behind the scanner.<br />
==== Not the file's license ====<br />
The scanner concludes a license from a license expression that is part of the file’s content but not the license of the file itself. In this case, the incorrect license finding is removed.<br />
==== License text ====<br />
Files that contain only a license text (e.g. COPYING) are concluded by the scanners to be licensed under the respective license. This is usually not correct. Most license texts are not explicitly licensed, so the finding is removed. The GNU licenses contain a license statement for the license text itself which is concluded for these cases (''License-of-GNU-licenses'').<br />
==== Imprecise finding ====<br />
The scanner finding might be imprecise, e.g. w.r.t. to the version of a license, e.g. no version number is given. If this is the case, the imprecise finding is removed and the specified license and version is concluded. If no version is given, the lowest existing version with the -or-later extension is concluded.<br />
==== Dual licensing ====<br />
A file might offer a choice of two or more licenses under which it can be used. If the context requires to chose one specific license, this choice must be noted. However, all applicable licenses must be concluded. Also, dual license cases require additional post-processing, see section "Post-processing" below.<br />
* '''fossy:''' In [[FOSSology|Fossology]], add the following text to the "Acknowledgement" section of the "Dual-license" finding to note the license choice, if applicable:<blockquote>To the extend files may be licensed under License A or License B, in this context License B has been chosen. This shall not restrict the freedom of other users to choose either License A or License B. For convenience, all license texts are provided.</blockquote><br />
==== License exceptions ====<br />
In particular for the GNU licenses, there are a number of license exceptions.<br />
* '''fossy:''' [[FOSSology|Fossology]] notes the license and the exception as separate findings. This is corrected to one finding using the SPDX license expression [License] WITH [exception], e.g. GPL-2.0-or-later WITH GCC-exception-2.0.<br />
* '''fossy:''' If the [[FOSSology|Fossology]] license database does not yet contain these licenses, they have to be added. <br />
==== Generic license texts ====<br />
For some licenses, especially the BSD-type licenses, many variants of the license texts exist. The scanners often provide only the generic license texts. If an individual text differs from the generic text, the individual license text is provided.<br />
* '''fossy:''' In [[FOSSology|Fossology]], click percentage of match to see differences.<br />
* '''fossy:''' The individual text is copied from the file into the "License" section of [[FOSSology|Fossology]].<br />
==== External references ====<br />
Sometimes the file does not contain the name or text of a license but references an external resource such as a COPYRIGHT file in the root directory or a URL. In these cases, the external reference is checked and the detected license is concluded and the process is documented as a ''LicenseComment'' (in case of a URL, the date of access is noted).<br />
==== (Partially) global license assignment ====<br />
Sometimes there is a Readme file or similar that contains a statement assigning a license to several files within the source tree (e.g. all files in a specific directory). As such information is often outdated or does not account for individual licensing of files, it is not used to assign a license to a file here.<br />
==== Acknowledgment ====<br />
If a license has an acknowledgment requirement, the respective acknowledgment text is given. In particular for CC_BY licenses, the acknowledgment must contain the following information (if available): name of the creator, copyright notice, license notice, disclaimer, link to the material.<br />
* '''fossy:''' In [[FOSSology|Fossology]], the acknowledgment text is given in the "Acknowledgement" section.</div>Ckressehttps://wiki.osselot.org/index.php?title=Curation_guideline&diff=154Curation guideline2023-08-03T06:50:28Z<p>Ckresse: First section "Preparation"</p>
<hr />
<div>This information is intended to provide guidelines on how data are curated for the OSSelot project and how contributing works. The curator should be familiar with their preferred scanning tool (ours is [[FOSSology|Fossology]]) and have a general understanding of copyright law and in particular knowledge of FOSS licensing.<br />
<br />
''Note:'' Whenever information is given that is specific to [[FOSSology|Fossology]], it is prepended with the keyword '''fossy'''.<br />
<br />
=== Preparation ===<br />
* Obtain the component in source code form.<br />
** Note the download URL.<br />
* Naming convention:<br />
** Try to follow the project’s naming and version convention, e.g. as given by the release’s git tag.<br />
** If this is not consistent, use only lowercase letters.<br />
** [package name]-[version number], e.g. angular-15.1.0.<br />
* Analyze the component with a license scan tool (e.g. [[FOSSology|Fossology]], [[Scancode|Scancode]]).<br />
** '''fossy:''' [[FOSSology|Fossology]] default settings for analysis:<br />
*** 7. Select optional analysis:<br />
**** Upload from file<br />
**** Copyright/Email/URL/Author Analysis<br />
**** Monk License Analysis, scanning for licenses performing a text comparison<br />
**** Nomos License Analysis, scanning for licenses using regular expressions<br />
**** Ojo License Analysis, scanning for licenses using SPDX-License-Identifier<br />
*** 10. ScanCode Toolkit, scan for<br />
**** License<br />
**** Copyright<br />
** [[Scancode|Scancode]] default options for analysis:<syntaxhighlight lang="bash"><br />
scancode -cli --license-text –json [package name-version].json [package]<br />
</syntaxhighlight>c: copyrights; l: licenses; i: file information; --license-text: include full license text<br />
<br />
=== Data curation ===</div>Ckressehttps://wiki.osselot.org/index.php?title=Main_Page&diff=153Main Page2023-08-03T06:27:39Z<p>Ckresse: </p>
<hr />
<div>__NOTOC__<br />
== Welcome to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Wiki! ==<br />
<br />
This Wiki was created to facilitate day-to-day work with the resources of the [https://www.osselot.org <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project], especially when accessing them in batch mode, e.g. as part of a software release build.<br />
<br />
==[[Search]] for a package==<br />
[[Search|Find out]] whether a particular version of a software package is supported by <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> and has already been curated. A particular Web script is provided for this purpose, and an interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Disclosure_files|disclosure files]]==<br />
A shell script is provided to encapsulate the [[Search|Web search script]] and obtain the related disclosure files. Another interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Licenses|licensing information]]== <br />
Another Web script is available that also encapsulates the internal algorithm of the [[Search|Web search script]], but then generates a list of licenses that are used in a given software package. The script accepts as argument either a package name or a package name along with a version. In the former case the licenses of all available versions are listed, whereas in the latter the output is restricted to the specified version.<br />
<br />
==Obtain curation data in various format using a [[REST]] interface== <br />
The entire curation data of a software package can be retrieved in [[JSON]] format, curation data of a particular version can be retrieved in [[RDF-XML]], [[SPDX2TV]] or [[YAML]] format.<br />
<br />
==Reuse existing material in case of version mismatch==<br />
If a particular version of a software package has not been curated before, but another one that may be close to it has, then FOSSology's reuse feature can be applied. Details are given in the presentation and video material on the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> home page: Please check out [https://www.osselot.org/index.php?s=presentations "Use case 2" at the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> presentations].<br />
<br />
==Contributing to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project==<br />
How to contribute to the project if a package that is not yet included with <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> has been externally curated? Contributions are greatly appreciated, and therefore we would like to encourage as many users as possible to contribute. The more versions of more packages that are curated, the more beneficial the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project will be. However, to maintain confidence in the material, a rigorous vetting process was instituted. Volunteers are asked to first contact the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Officer via [mailto:office@osadl.org?subject=OSSelot-volunteer email]. The easiest next step is then probably to arrange a video conference, get to know each other, and understand the basic principles of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> curation process. From that moment, new software packages can be curated and provided in the fork tree. The maintainer will then review the newly provided curation data in close collaboration with the contributor, and once the review is successful, the new curation data will be included and made publicly available through the repository. The contributor's and reviewer's names will be indicated in the README file of the package.<br />
<br />
==Best practices==<br />
====FOSSology====<br />
In order to use the [[FOSSology]] Open Source curation administration tool in connection with the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project (when re-using the data and also when contributing to the project), a number of conventions should be observed.<br />
====Scancode====<br />
Normally, the [[Scancode]] Open Source scanning tool is used under the control of [[FOSSology]] in this project; however, to fine-tune or confirm the results it may be necessary to run the tool separately from command line. If this is done, the command line options should match the conventions of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project.<br />
====How to curate data====<br />
High-quality curation data are the cornerstone of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project. To ensure that this quality is maintained, every contribution is thoroughly reviewed and only curators with sufficient expertise in FOSS licensing contribute to the database. A [[curation guideline]] on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project is given here to ensure consistency.</div>Ckressehttps://wiki.osselot.org/index.php?title=Main_Page&diff=152Main Page2023-08-03T06:24:46Z<p>Ckresse: Add "How to curate data" section introduction.</p>
<hr />
<div>__NOTOC__<br />
== Welcome to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Wiki! ==<br />
<br />
This Wiki was created to facilitate day-to-day work with the resources of the [https://www.osselot.org <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project], especially when accessing them in batch mode, e.g. as part of a software release build.<br />
<br />
==[[Search]] for a package==<br />
[[Search|Find out]] whether a particular version of a software package is supported by <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> and has already been curated. A particular Web script is provided for this purpose, and an interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Disclosure_files|disclosure files]]==<br />
A shell script is provided to encapsulate the [[Search|Web search script]] and obtain the related disclosure files. Another interactive Web interface is available to test and use this feature.<br />
<br />
==Obtain [[Licenses|licensing information]]== <br />
Another Web script is available that also encapsulates the internal algorithm of the [[Search|Web search script]], but then generates a list of licenses that are used in a given software package. The script accepts as argument either a package name or a package name along with a version. In the former case the licenses of all available versions are listed, whereas in the latter the output is restricted to the specified version.<br />
<br />
==Obtain curation data in various format using a [[REST]] interface== <br />
The entire curation data of a software package can be retrieved in [[JSON]] format, curation data of a particular version can be retrieved in [[RDF-XML]], [[SPDX2TV]] or [[YAML]] format.<br />
<br />
==Reuse existing material in case of version mismatch==<br />
If a particular version of a software package has not been curated before, but another one that may be close to it has, then FOSSology's reuse feature can be applied. Details are given in the presentation and video material on the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> home page: Please check out [https://www.osselot.org/index.php?s=presentations "Use case 2" at the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> presentations].<br />
<br />
==Contributing to the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project==<br />
How to contribute to the project if a package that is not yet included with <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> has been externally curated? Contributions are greatly appreciated, and therefore we would like to encourage as many users as possible to contribute. The more versions of more packages that are curated, the more beneficial the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project will be. However, to maintain confidence in the material, a rigorous vetting process was instituted. Volunteers are asked to first contact the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> Officer via [mailto:office@osadl.org?subject=OSSelot-volunteer email]. The easiest next step is then probably to arrange a video conference, get to know each other, and understand the basic principles of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> curation process. From that moment, new software packages can be curated and provided in the fork tree. The maintainer will then review the newly provided curation data in close collaboration with the contributor, and once the review is successful, the new curation data will be included and made publicly available through the repository. The contributor's and reviewer's names will be indicated in the README file of the package.<br />
<br />
==Best practices==<br />
====FOSSology====<br />
In order to use the [[FOSSology]] Open Source curation administration tool in connection with the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project (when re-using the data and also when contributing to the project), a number of conventions should be observed.<br />
====Scancode====<br />
Normally, the [[Scancode]] Open Source scanning tool is used under the control of [[FOSSology]] in this project; however, to fine-tune or confirm the results it may be necessary to run the tool separately from command line. If this is done, the command line options should match the conventions of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project.<br />
====How to curate data====<br />
High-quality curation data are the cornerstone of the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project. To ensure that this quality is maintained, every contribution is thoroughly reviewed and only curators with sufficient expertise in FOSS licensing contribute to the database. A guideline on how data are curated for the <span style="font-family: OSSelot-Bold; font-weight: 500; color: #1565af;">O</span> project is given here to ensure consistency.</div>Ckresse