Bug#950363: licensecheck reports dubious (may be misleading) information for image files

Dominique Dumont dod at debian.org
Fri Feb 7 13:34:18 GMT 2020


On Thursday, 6 February 2020 11:21:01 CET Jonas Smedegaard wrote:
> There are two machine-readable outputs currently, enabled by either of
> options "--machine" or "--deb-machine" - I assume you are talking about
> the latter.

Nope. cme use "--machine" option whose output is easier to parse.

I don't really need the "FIXME" tag as cme either provides a similar message 
(although in a more verbose way) or provides the correct value (from control 
information or using Software::LicenseMoreUtils)

> Yes, I plan to include most possible in machine-readable output, but
> will (for the "--deb-machine" format) keep within the boundaries of
> https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ - so
> what you should worry about should only be if you are making too strict
> assumptions on that format.  

Which makes it harder to parse.

> In particular, beware that it is plain
> wrong to only expect explicitly defined fields (as per ยง 4: "Extra
> fields can be added to any paragraph").

Yes, I've been bitten by this. This is now taken care of [1].

> Now that I write this, it occurs to me that
> it probably makes sense to expand those FIXMEs to add some explanatory
> text.

Agreed.

> I imagine that qualities are of different importance for different uses
> of licensecheck.  An author might be interested in correcting errors,
> and a larger organization of authors (e.g. KDE) might want to ensure
> coherence both in writing style and in licensing "regime" (in lack of a
> better word: which political field they want to stay within - e.g.
> "GNU-compatible copyleft" or "Apache semi-copyleft without
> GPL-contamination"), whereas a distributor like Debian is less
> interested about style (we cannot change it anyway) except for details
> directly harmful for our work (e.g. wrong contact information as has
> happened with FSF changing postal address).

Understood. I'm mostly focused on Debian use case.

> ...then maybe I should add " and/or UNKNOWNS" to _all_ detections -
> which is currently implied by the "FIXME" comments.

The way I see it, the FIXME comment instructs user to find the license text.
 I assume that the license is correctly detected unless specified otherwise 
(with "and/or"). I know that licensecheck is a heuristic tools and misdetections 
are possible. But I cannot afford to systematically verify each file.

Adding  " and/or UNKNOWNS" to _all_ detections would make me question 
the added value of licensecheck.

> To clarify: When licensecheck says "GPL-2+ and/or MIT"" then it means
> "this file is seemingly licensed under GPL-2+ and/or MIT (and/or
> additional terms not auto-detected)" (not "this file is _only_ licensed
> under GPL-2+ and/or MIT").

No problem.

> If cme warns about "and/or" needing human investigation but not FIXMEs,
> then it implicitly says FIXMEs need less human investigation which is
> plain wrong!

cme uses "-m" option, so "FIXMEs" are currently not seen by cme. However, 
cme either fills the blank with the correct license text or warns the user about
missing license text.

All the best

[1] https://salsa.debian.org/perl-team/modules/packages/libconfig-model-dpkg-perl/blob/master/lib/Config/Model/models/Dpkg/Copyright/Content.pl#L6



More information about the pkg-perl-maintainers mailing list