Bug 216609

Summary:	Automatic dependency analysis tools misinterpret libcap/libpsx license
Product:	Tools	Reporter:	Günther Noack (gnoack3000)
Component:	libcap	Assignee:	Andrew G. Morgan (morgan)
Status:	RESOLVED CODE_FIX
Severity:	enhancement	CC:	morgan
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	-	Subsystem:
Regression:	No	Bisected commit-id:

Description Günther Noack 2022-10-19 19:08:10 UTC

This is mostly a small nit that I stumbled upon when playing with these dependency analysis tools:

The libcap/libpsx license gets misidentified by tools as GPL-2.0, where it actually is either BSD 3-clause or GPL-2.0.

For example here:
https://deps.dev/go/kernel.org%2Fpub%2Flinux%2Flibs%2Fsecurity%2Flibcap%2Fpsx/v1.2.65

The option between two licenses can be expressed with SPDX License identifers as the example on https://spdx.dev/ids/ shows:

/* SPDX-License-Identifier: MIT OR Apache-2.0 */

I suspect that these dependency analysis tools would do a better job if it was explicitly stated with a SPDX-License-Identifier..? This page has a section explaining how licenses get recognized: https://deps.dev/faq

Comment 1 Andrew G. Morgan 2022-10-20 02:00:39 UTC

Thanks for this. It has been annoying me that the OSI identification seemed to pick the wrong thing. There are 4 License files in the libcap tree: default, psx, cap and pam_cap.so.

The first three are:

default={libcap, libpsx}, cap and psx:
  - SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-only

pam_cap.so:
  - SPDX-License-Identifier: BSD-3-Clause OR LGPL-2.0-or-later

I'll update the sources with this header. Perhaps this auto analysis will be able to understand that.

Comment 2 Andrew G. Morgan 2022-10-20 02:11:49 UTC

Fixed with

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=70998415a87587f31063a26a1e52c6f7806b7834