Handling of deprecated SPDX License Identifiers by ORT #9896
Comments
Can you please share the ORT analyzer result file the report was generated from? |
sschuberth
added
needs info
|
Unfortunately, SPDX does not maintain a machine-readable list to which (non-deprecated) license a deprecated license maps so, i.e. what its successor is. That's why ORT maintains such mappings as part of deprecated-license-mapping.yml. At the example of |
sschuberth
removed
needs info
|
Apart from the Net-SNMP license ID (which represents 9 licenses), there is a unique resolution for the deprecated SPDX License IDs.
ScanCode does it right. I thought you were cooperating with the ScanCode team.
Except for the copyright owners, Nunit and zlib-acknowledgement are equal. ScanCode delivers corresponding result.
Mit freundlichen Grüßen / Best regards
Dr. Guenter Bechtold
Bosch Management Support GmbH, Leonberg, Germany (BMS)
Robert Bosch GmbH | Postfach 16 61 | 71226 Leonberg | GERMANY | www.bosch.com<http://www.bosch.com/>
Tel. +49 711 811-47767 | Mobil +49 160 90854931 | Telefax +49 711 811-509577 | ***@***.******@***.***>
Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Prof. Dr. Stefan Asenkerschbaumer;
Geschäftsführung: Dr. Stefan Hartung, Dr. Christian Fischer, Dr. Markus Forschner,
Stefan Grosch, Dr. Markus Heyn, Dr. Frank Meyer, Katja von Raven, Dr. Tanja Rückert
Von: Sebastian Schuberth ***@***.***>
Gesendet: Montag, 10. Februar 2025 12:36
An: oss-review-toolkit/ort ***@***.***>
Cc: Bechtold Guenter (BMS) ***@***.***>; Author ***@***.***>
Betreff: Re: [oss-review-toolkit/ort] Handling of deprecated SPDX License Identifiers by ORT (Issue #9896)
Unfortunately, SPDX does not maintain a machine-readable list to which (non-deprecated) license a deprecated license maps so, i.e. what its successor is. That's why ORT maintains such mappings as part of simple-license-mapping.yml<https://github.com/oss-review-toolkit/ort/blob/fc5389c2cfd9c8b009794c8a11f5c91321b7a730/utils/spdx/src/main/resources/simple-license-mapping.yml>.
At the example of eCos-2.0, it seems that should be an exception<https://spdx.org/licenses/eCos-2.0.html> called eCos-exception-2.0 now. But for e.g. Nunit<https://spdx.org/licenses/Nunit.html> it's unclear to me what the non-deprecated successor should be.
—
Reply to this email directly, view it on GitHub<#9896 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BLCOLBUMCIUIUNXYO2AW46T2PCFJBAVCNFSM6AAAAABWRCRQAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBXG4ZDMNZWHE>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
Then please share your wisdom with us by providing a table of deprecated -> non-deprecated license mappings that are missing in ORT.
I believe you have a wrong understand of both the level of cooperation, and the way that ScanCode works. ScanCode is not able to map deprecated license IDs to non-deprecated license IDs. What it does is to associate (non-deprecated) license IDs to license texts it identifies. That is, given the license ID string "Nunit", ScanCode cannot tell you directly that the non-deprecated ID for that is "zlib-acknowledgement". In your examples you're also comparing apples to oranges, as your first table is about declared licenses (that come without a license text), but the additional context is about detected licenses (that do not involve a deprecated license ID at all). Additionally, there seems to be a display issue in the web-app report as every "Unprocessed Declared License" should always have a corresponding (processed) "Declared License". |
|
From my point of view ORT takes metadata from package managers directly and for source code files it uses e.g. ScanCode to scan for license and copyright information. ScanCode provides the results of the scan via SPDX license expressions.
Therefore I used a SPDX document to present deprecated SPDX License Identifiers directly to ORT. Source code files from OSS packages bzip2-1.0.5.tar.gz, ecos-3.0.i386linux.tar.bz2, net-snmp-5.6.2.tar.gz, NUnit-2.5.0.9122-src.zip, and wxWidgets to check the ScanCode line. The table “Scan Results” (in scan-report-web-app.html) shows the ScanCode results with “Path” and “Start” and “End” line with correct SPDX License Identifiers. Thus ScanCode interprets license information which is correlated to the deprecated SPDX License Identifiers now with valid license identifiers. The second table shows three examples including the license information detected/used by ScanCode (from “Start” and “End” line). The NUnit and wxWindows examples are the most obvious.
My interpretation of the SPDX information about the deprecated SPDX License Identifiers ORT does not handle:
Deprecated LID current valid LID
BSD-2-Clause-NetBSD BSD-2-Clause
bzip2-1.0.5 bzip2-1.0.6
eCos-2.0 GPL-2.0-or-later WITH eCos-exception-2.0
Net-SNMP no 1:1 resolution possible because it is a license stack of 9 licenses
Nunit zlib-acknowledgement
StandardML-NJ SMLNJ
wxWindows LGPL-2.0-or-later WITH WxWindows-exception-3.1
My interpretation is confirmed by ScanCode results from source code files of the above mentioned OSS packages.
Mit freundlichen Grüßen / Best regards
Guenter Bechtold
BMS
Tel. +49 711 811-47767 | Mobil +49 160 90854931
Von: Sebastian Schuberth ***@***.***>
Gesendet: Montag, 10. Februar 2025 18:52
An: oss-review-toolkit/ort ***@***.***>
Cc: Bechtold Guenter (BMS) ***@***.***>; Author ***@***.***>
Betreff: Re: [oss-review-toolkit/ort] Handling of deprecated SPDX License Identifiers by ORT (Issue #9896)
there is a unique resolution for the deprecated SPDX License IDs.
Then please share your wisdom with us by providing a table of deprecated -> non-deprecated license mappings that are missing in ORT.
ScanCode does it right. I thought you were cooperating with the ScanCode team.
I believe you have a wrong understand of both the level of cooperation, and the way that ScanCode works. ScanCode is not able to map deprecated license IDs to non-deprecated license IDs. What it does is to associate (non-deprecated) license IDs to license texts it identifies. That is, given the license ID string "Nunit", ScanCode cannot tell you directly that the non-deprecated ID for that is "zlib-acknowledgement".
In your examples you're also comparing apples to oranges, as your first table is about declared licenses (that come without a license text), but the additional context is about detected licenses (that do not involve a deprecated license ID at all).
Additionally, there seems to be a display issue in the web-app report as every "Unprocessed Declared License" should always have a corresponding (processed) "Declared License".
—
Reply to this email directly, view it on GitHub<#9896 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BLCOLBVUVMCATCZGNK67SIT2PDRL7AVCNFSM6AAAAABWRCRQAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBYHAYDONRUGE>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
|
What is the existing functionality and how should it be enhanced?
ORT transforms some deprecated SPDX License Identifiers to valid SPDX License IDs what should be enhanced that ORT handles all deprecated SPDX License Identifiers.
What is the use-case for your enhancement?
In the file https://github.com/oss-review-toolkit/ort/blob/main/utils/spdx/src/main/kotlin/SpdxLicense.kt all current deprecated SPDX License Identifiers are identified correctly. If deprecated SPDX License Identifiers are entered directly to ORT for example by the field “licenseDeclared” in a SPDX document some but not all deprecated SPDX License Identifiers are transformed to valid SPDX License Identifiers. Another comparable scenario would by metadata from package managers. Examples of transformed and not transformed deprecated License Identifiers are shown in the following list (taken from the tab table of an ORT Scan Report):
Additional context
License information in source code files is interpreted by ScanCode and handed over to ORT by SPDX license expressions. Testing license information which would result in deprecated SPDX License Identifiers show that ScanCode can handle the current deprecated SPDX License Identifiers correctly. With selected files from ecos-3.0.i386linux.tar.bz2, NUnit-2.5.0.9122-src.zip and wxWidgets-3.2.6.zip ScanCode provides the following results with valid SPDX License Identifiers:
The text was updated successfully, but these errors were encountered: