Bug 216609 - Automatic dependency analysis tools misinterpret libcap/libpsx license
Summary: Automatic dependency analysis tools misinterpret libcap/libpsx license
Status: RESOLVED CODE_FIX
Alias: None
Product: Tools
Classification: Unclassified
Component: libcap (show other bugs)
Hardware: All Linux
: P1 enhancement
Assignee: Andrew G. Morgan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-19 19:08 UTC by Günther Noack
Modified: 2022-10-20 02:11 UTC (History)
1 user (show)

See Also:
Kernel Version: -
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Günther Noack 2022-10-19 19:08:10 UTC 
This is mostly a small nit that I stumbled upon when playing with these dependency analysis tools:

The libcap/libpsx license gets misidentified by tools as GPL-2.0, where it actually is either BSD 3-clause or GPL-2.0.

For example here:
https://deps.dev/go/kernel.org%2Fpub%2Flinux%2Flibs%2Fsecurity%2Flibcap%2Fpsx/v1.2.65

The option between two licenses can be expressed with SPDX License identifers as the example on https://spdx.dev/ids/ shows:

/* SPDX-License-Identifier: MIT OR Apache-2.0 */

I suspect that these dependency analysis tools would do a better job if it was explicitly stated with a SPDX-License-Identifier..? This page has a section explaining how licenses get recognized: https://deps.dev/faq
Comment 1 Andrew G. Morgan 2022-10-20 02:00:39 UTC 
Thanks for this. It has been annoying me that the OSI identification seemed to pick the wrong thing. There are 4 License files in the libcap tree: default, psx, cap and pam_cap.so.

The first three are:

default={libcap, libpsx}, cap and psx:
  - SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-only

pam_cap.so:
  - SPDX-License-Identifier: BSD-3-Clause OR LGPL-2.0-or-later

I'll update the sources with this header. Perhaps this auto analysis will be able to understand that.
Note You need to log in before you can comment on or make changes to this bug.