Uploaded image for project: 'Qt Quality Assurance Infrastructure'
  1. Qt Quality Assurance Infrastructure
  2. QTQAINFRA-6772

Integrate scancode for analysing third-party code

    XMLWordPrintable

Details

    • User Story
    • Resolution: Unresolved
    • P3: Somewhat important
    • None
    • None
    • Gerrit
    • None

    Description

      When adding third-party code to Qt Project repositories, the author and reviewer should take extra care to document the copyright and licenses in these files (see QUIP 4). The information not only need to match the information in qt_attribution.json files (see QUIP 7), but now also for reuse compliancy (see [QUIP 18|https://contribute.qt-project.org/quips/18).

      Often enough, the upstream projects claim some general copyright and license (for instance in a README file), but does leave out some minor copyrights or licenses. So, before adding and updating such projects, it is important to do an actual audit of the license and coypright in the sources vs in the documentation.

      A popular tool for scanning such licenses is scancode. It can be launched from command line, and produce output in various formats.

      Scancode is not difficult to set up (as there are also ready-made docker images etc), but does still require some experience to use efficiently. It would therefore be great if such a service be integrated into gerrit, as a requested automatic review.

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              daniel.smith Daniel Smith
              kkohne Kai Köhne
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes