SRP compliance questions

[dcasota]

Is your feature request related to a problem? Please describe.

Hi team,

A question about SRP compliance. That licenses declaration assembling procedure (package builder -> license.txt) per required and build-required subcomponent is a safe path, no doubts, however how does it respect the vendor's subcomponent declaration? For instance see shim, the redhat boot loader, statically declared in https://github.com/rhboot/shim/blob/main/COPYRIGHT. Do you use that information somehow, too?

Kind regards,
Daniel

Describe the solution you'd like

Up-to-date, granular and well-maintained license data

Really looking forward, good progress!

Describe alternatives you've considered

No response

Additional context

No response

[YustasSwamp]

Hi Daniel,
Our automation uses [1] which scans every single file in a tarball and patches for licenses info including header content.
COPYRIGHT file in your example going to be captured also.
In result, spec's license field will be changed to long (especially for linux kernel) string in SPDX format.
This license information will be used for product's SBOMs.

[1] https://github.com/aboutcode-org/scancode-toolkit

[dcasota]

Hi Alexey,
Yes that automation makes absolutely sense. Improving that automation is crucial. Thank you for the weblink. Scancode inside seems to be the appropriate parsing tool.

edited: December 16th 2024

QA remarks:

1. The copyright information can be scanned, but afaik isn't included in license.txt(?)

2. That snprintf entry in https://github.com/vmware/photon/blob/5.0/SPECS/shim/license.txt looks strange, too (?)

3. Should scanning srpms and Github Photon source look the same? I was tinkering with ./scancode -clpeui --json-pp scancode_result.json extractcode <file/dir>.

4. Is SRPCLI a closed source <> scancode-toolkit? Running make build the classic way (make image IMG_NAME=iso) on Photon OS 5 warns with SRPCLI is not provided. SRP provenance will not be generated.

5. Backward SRP tasks for Ph4+Ph3 are not planned, right?