On Fri, Jun 02, 2006 at 10:17:46AM -0400, Noel J. Bergman wrote:
> Leo Simons wrote:
> > Let's write a piece of software to do the auditing for us.
>
> How do you propose to do this? How do you propose to audit the code and
> know which pieces of code require which license and whether or not that
> license is conforming, and properly documented? Not saying that this can't
> be done, but am asking how you propose to do it.
Hadn't thought about it a whole lot yet. I figured the question was coming so
I typed up some random things on the train...not sure whether it makes sense
but I'm confident it can be done.
cheers!
LSD
----
The Magnificient Release Licensing Assistant
----
--> takes a tarball
--> check tarball name
--> has "incubating" in there
--> checks there is a LICENSE.txt containing at least all of the
apache license, v2.0
--> checks there is a NOTICE.txt containing at least all of the
policy-required ASF copyright statements
--> look for any file which is easily identified as "potentially
third party" (for java projects, this typically means .jars.
For other projects, who knows...)
--> for each such file
--> compare (eg the SHA1 or MD5) with a database of
'known' ASF artifacts (eg based on our maven repo
metadata)
--> if match
--> if "SNAPSHOT", issue warning
--> if "incubating", issue warning
--> if no match
--> compare the name of the file
--> if match, issue error
--> if no match
--> compare with a database of known
'external' artifacts
--> similar policies
--> for known non-apache license
and/or copyright, inspect
LICENSE.txt/NOTICE.txt/legal
subdir (as per 3rd party
policy)
--> if still no match
--> issue warning, request addition
of metadata
--> tool for adding metadata in
some way (webapp? Integrates
with maven repo manager?)
--> check availability of PGP file
--> check validity
--> check availability of SHA1 file
--> check validity
--> etc etc
Frequently Imagined Answers
---
Is this hard to implement?
No!
--> some forloops
--> some switch/case/if/then/else
--> some regular expressions
--> some clever use of 'diff'
--> some file i/o
--> availability of maven POM metadata (perhaps with an
extension or two) is *key*
Why no 'template' tool instead?
--> no idea! Lets do that too!
Why not as a maven subproject?
--> no idea! Lets see if that makes sense!
Why write it using maven?
--> it somehow seems sensible. It looks like our non-java projects tend to
get this right anyhow, and most of our java projects use maven for their
builds and stuff anyway.
But I want to do it using technology X!
--> Cool! Please do. Way to go! Less work for me!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
