[U-Boot] [PATCH 0/5] Introducing SPDX-License-Identifiers

Graeme Russ graeme.russ at gmail.com
Wed Jul 24 11:51:27 CEST 2013 

Hi Wolfgang,


On Wed, Jul 10, 2013 at 5:37 PM, Wolfgang Denk <wd at denx.de> wrote:

> Like many other projects, U-Boot has a tradition of including big
> blocks of License headers in all files.  This not only blows up the
> source code with mostly redundant information, but also makes it very
> difficult to generate License Clearing Reports.  An additional problem
> is that even the same lincenses are referred to by a number of
> slightly varying text blocks (full, abbreviated, different
> indentation, line wrapping and/or white space, with obsolete address
> information, ...) which makes automatic processing a nightmare.
>
> To make this easier, such license headers in the source files will be
> replaced with a single line reference to Unique Lincense Identifiers
> as defined by the Linux Foundation's SPDX project [1].  For example,
> in a source file the full "GPL v2.0 or later" header text will be
> replaced by a single line:
>
>         SPDX-License-Identifier:        GPL-2.0+
>
>
Hi Wolfgang,

This will certainly make compliance checking a lot easier. I remember going
through and checking what licenses were used some time ago - what a mess!

I've been reading Version 1.1 of the Software Package Data Exchange (SPDX®)
Specification and I can't find any reference to using the term 'SPDX
-License-Identifier'.

What I have found, and I think would be beneficial, is details on creation
of a central SPDX file which lists all files in the package, the license
applicable for that file, and (I think most importantly) an Artifact of
Project Name which provides information on the original source project of
each file. So if we have source code taken from the Linux kernel and
modified for U-Boot, the Linux kernel would be the Artifact Project. In
theory, if the file was sources by the Linux kernel developers from
somewhere else, then the Linux kernel SPDX file would provide the next hop
in the chain. The idea being that the ancestry of the file can be traced
back to the original author and license.

The spec also calls for each source file to be SHA-1 checksummed - this
allows for very rapid verification that all source files are indeed what
have been published by the project maintainers. Would it be worthwhile
machine generating an SPDX file for the project upon each release and
publishing it on the U-Boot home page? This would also allow us to
highlight and track files with dubious license assignments with a view to
sanitising U-Boot once and for all :)

Regards,

Graeme

More information about the U-Boot mailing list