proprietary licenses: report copyright holder/vendor

[armijnhemel]

Description

Some license rules for proprietary licenses are specific to a single vendor, yet scancode does not report the copyright holder. An example is proprietary-license_663.RULE which is specific to MediaTek. It would be useful to report the vendor.

System configuration

$ ./scancode --version
ScanCode version: v32.0.0rc3-105-g6b1c2ce1d4
ScanCode Output Format version: 3.0.0
SPDX License list version: 3.20

[armijnhemel]

Description

Some license rules for proprietary licenses are specific to a single vendor, yet scancode does not report the copyright holder. An example is proprietary-license_663.RULE which is specific to MediaTek. It would be useful to report the vendor.

To clarify: of course if I would enable the copyright scan I would get that information, but then I would also get a lot of other information that I might not want to know (all of the copyright statements in a project for example, sometimes I am not interested in those). Since this license already is known to be Mediatek it makes sense to flag it as such (and this is true in general for many proprietary licenses: specific to a single vendor).

[mjherzog]

I can see why it would be helpful to consider the supplier referenced in a proprietary-license as the copyright holder but there are some conceptual and technical considerations.

• On the conceptual side the supplier referenced may not accurately represent the copyright holder.
  • A common example is when a company acquires a product/codebase and does not change the original copyright notices in the code. In this use case, some companies update the copyrights for old code (e.g. Oracle), but many do not. The original copyright notices are very useful here for provenance analysis.
  • Another use case is where the supplier license overlays third-party code included in a package/component. This is likely very common where the package/component includes third-party FOSS.
• On the technical side, returning the supplier name as copyright holder could be confusing in two ways:
  • If you did not request --copyright in your Scan options, how will a reviewer understand where the data comes from.
  • If you did request --copyright in your Scan options, how will the origin of the supplier reference be shown as distinct from a copyright notice. Otherwise a reviewer may be confused or think that this is a bug in copyright detection.

[armijnhemel]

I looked a bit into some of the data files and what I can see is that some of the .LICENSE files have a field called owner, for example:

---
key: ralink-firmware
short_name: Ralink Firmware License
name: Ralink Firmware License
category: Proprietary Free
owner: MediaTek
homepage_url: http://iotdk.intel.com/repos/3.0/licenses/linux-firmware/LICENCE.ralink-firmware.txt
spdx_license_key: LicenseRef-scancode-ralink-firmware
ignorable_urls:
    - http://opensource.org/licenses
---

That is basically the field that I want, so if that could be reported for more proprietary licenses it would be useful.