Il 08/09/2024 07:38, Jonas Smedegaard ha scritto:
[CC'ing Fabio as they seemingly missed my earlier list-only reply]Quoting Fabio Fantoni (2024-09-07 23:57:35)Il 07/09/2024 22:56, Aurélien COUDERC ha scritto:Le samedi 7 septembre 2024, 21:43:35 CEST Fabio Fantoni a écrit :So I wonder, is it possible to put in d/copyright DEP5 the short license names using the spdx ones?we’ve been doing that for KDE packages since upstream started tagging all source files with SPDX-License / SPDX-Copyright headers and so using SPDX license identifiers some years ago. See [1] for example. While not strictly adhering to DEP-5 I consider it useful to have a machine-readable-with-SPDX-identifiers and I’m not sure how useful it is to try and translate upstream-provided SPDX identifiers into something else. Our spec [2] already defines an equivalence rule between License-X and License-X.0 declarations for SPDX compatibility. For what I’ve seen on the quite vast and diverse KDE source corpus we’d only need 2 additional equivalence rules to be added to matches what that upstream ships : - equivalence between the + and -or-later suffixes (GPL-2+ / GPL-2.0-or-later) - equivalence between MIT and Expat. [1] https://salsa.debian.org/qt-kde-team/kde/plasma-workspace/-/blob/debian/experimental/debian/copyright [2] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-short-nameThanks for the information, about tools that help to create and check d/copyright are you experiencing problems?You might already be aware, but (also for others following along) an overview of tools is maintained here: https://wiki.debian.org/CopyrightReviewToolsI use a lot decopyand I found that there is this MR of 1 year ago not merged: https://salsa.debian.org/debian/decopy/-/merge_requests/4 it would be useful even if it didn't have spdx generation by default but at least as an option, I was wondering if there was something preventing the use of the spdx name but from the current responses it does not appear.Licensecheck can use strictly SPDX shortnames like this: licensecheck --shortname-scheme spdx --check '.*' --recursive --deb-machine --lines 0 -- * ...or more relaxed use fallbacks for patterns without SPDX shortname: licensecheck --shortname-scheme spdx,debian,internal --check '.*' --recursive --deb-machine --lines 0 -- * If you want another output than the DEP5 file format implied by the option --deb-machine (e.g. one that includes hashes for each file, never shortening file lists with wildcards) then please file a bugreport against licensecheck and let's discuss that in detail there: https://www.debian.org/Bugs/Reportingone more question, is there any tool/script to convert current d/copyright to spdx names?See to tools at https://wiki.debian.org/CopyrightReviewTools and please update that list if you find additional tools helpful. Thanks for interest in copyright and licensing tracking, - Jonas
Thanks for your reply and information, I already saw that wiki page.Overall the tool I used the most as a base from which to start creating or updating d/copyright is decopy, then manual changes are always required.
Initially if I remember correctly I didn't use any tools but I made rare manual changes to the d/copyright, later I used decopy suggested by Maxy and Marga who taught me a lot about packaging in the early years.
A few years ago (to try to reduce the times) I had tried several other tools, I don't remember exactly all which ones, but mainly looking at the list from the wiki page, I didn't find anything better and the only decent one that could be useful in some cases was licensecheck.
Recently I retried to look about the tool and I found lrc (licenserecon) that seems useful in identifying some missing or incorrect entries.
I did some tests using spdx short name, but seems that currently the tools are not good enough to be able to manage them well (in total) and it would take more time than the debian names.
If they were well supported instead it could save some time in some cases to identify the licenses and I suppose it would be easier and faster also for new maintainers who already know/use the spdx names, rather than learning the debian ones and the various differences.
licensecheck even if with "--shortname-scheme spdx,debian" seems show some debian name where can show spdx instead, with only spdx is probably good but i haven't tested it enough
licenserecon don't support spdx name so show entries with correct license but spdx name as difference
decopy don't support spdx name in DEP5 output produced but there is a MR of 1 year ago
I'll see if Aurélien COUDERC or someone else from the KDE team who uses spdx names will answer me to know what tools they use
I tried also scancode-toolkit after saw that it have a very big license list (more that spdx), support to generate DEP5 output but is bad, I think can be useful only for help detect license of specific files
as I saw you as licensecheck maintainer here some suggestions on it:add to default ignore debian/copyright and debian/changelog (probably also other)
make possible start from d/copyright if presentlike what do decopy, it can be useful if you want to compare the differences of the generated output (and d/copyright) having much less and the most useful ones
improve examples of usage in the wiki page, for example the spdx case. I not sure about --merge-license as default but seems used by all d/copyright of packages I saw
another small thing that could help reduce the time of manage d/copyright is if licensecheck had the possibility to optionally add the complete output of the licenses, at least the most used ones and with fixed output, I don't think I saw it
OpenPGP_signature.asc
Description: OpenPGP digital signature
