Hi Wolfgang,
On Wed, Jul 10, 2013 at 5:37 PM, Wolfgang Denk <w...@denx.de> wrote: > Like many other projects, U-Boot has a tradition of including big > blocks of License headers in all files. This not only blows up the > source code with mostly redundant information, but also makes it very > difficult to generate License Clearing Reports. An additional problem > is that even the same lincenses are referred to by a number of > slightly varying text blocks (full, abbreviated, different > indentation, line wrapping and/or white space, with obsolete address > information, ...) which makes automatic processing a nightmare. > > To make this easier, such license headers in the source files will be > replaced with a single line reference to Unique Lincense Identifiers > as defined by the Linux Foundation's SPDX project [1]. For example, > in a source file the full "GPL v2.0 or later" header text will be > replaced by a single line: > > SPDX-License-Identifier: GPL-2.0+ > > Hi Wolfgang, This will certainly make compliance checking a lot easier. I remember going through and checking what licenses were used some time ago - what a mess! I've been reading Version 1.1 of the Software Package Data Exchange (SPDX®) Specification and I can't find any reference to using the term 'SPDX -License-Identifier'. What I have found, and I think would be beneficial, is details on creation of a central SPDX file which lists all files in the package, the license applicable for that file, and (I think most importantly) an Artifact of Project Name which provides information on the original source project of each file. So if we have source code taken from the Linux kernel and modified for U-Boot, the Linux kernel would be the Artifact Project. In theory, if the file was sources by the Linux kernel developers from somewhere else, then the Linux kernel SPDX file would provide the next hop in the chain. The idea being that the ancestry of the file can be traced back to the original author and license. The spec also calls for each source file to be SHA-1 checksummed - this allows for very rapid verification that all source files are indeed what have been published by the project maintainers. Would it be worthwhile machine generating an SPDX file for the project upon each release and publishing it on the U-Boot home page? This would also allow us to highlight and track files with dubious license assignments with a view to sanitising U-Boot once and for all :) Regards, Graeme
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de http://lists.denx.de/mailman/listinfo/u-boot
