explosion / cython-blis

💥 Fast matrix-multiplication as a self-contained Python library – no system dependencies!
Other
219 stars 37 forks source link

align with BSD OSI template #82

Closed lsmith77 closed 2 years ago

lsmith77 commented 2 years ago

This ensures that GitHub can properly detect the license:

licensee detect .
License:        BSD-3-Clause
Matched files:  LICENSE
LICENSE:
  Content hash:  64030e858d08e2b9b2a8cae5cc61334fd986c5dd
  Attribution:   Copyright (C) 2018, The University of Texas at Austin, 2016, Hewlett Packard Enterprise , 2018, Advanced Micro Devices, Inc.
  Confidence:    99.58%
  Matcher:       Licensee::Matchers::Dice
  License:       BSD-3-Clause
  Closest non-matching licenses:
    BSD-3-Clause similarity:        99.58%
    BSD-4-Clause similarity:        86.76%
    BSD-3-Clause-Clear similarity:  85.30%
adrianeboyd commented 2 years ago

This license text is a modified copy of the LICENSE file from the upstream flame/blis repo. It's useful that you bring this up because it turns out that it does need to be updated to the most recent version (with updated years and copyright holders), and it should also continue to include ExplosionAI GmbH (us) as additional copyright holders.

I'm curious about how the github license auto-detection is useful for license compliance? The analysis from licensee does not seem useful for anything beyond a rough initial search.

lsmith77 commented 2 years ago

it allows defining policies that can be automatically checked fe. via https://github.com/GeekMasher/advanced-security-compliance

adrianeboyd commented 2 years ago

licensee's algorithm looks like it shouldn't be relied on for this. It identifies the following as BSD-3-Clause:

Copyright (c) 2022 Adriane Boyd

- - - A above above ADVISED and and and and AND AND AND AND and/or ANY ANY ANY
  ANY are are ARE ARISING "AS be BE binary binary BUSINESS BUT BUT BY CAUSED
code conditions conditions conditions CONSEQUENTIAL CONTRACT, contributors
CONTRIBUTORS CONTRIBUTORS copyright copyright copyright COPYRIGHT COPYRIGHT
DAMAGE.  DAMAGES DATA, derived DIRECT, DISCLAIMED.  disclaimer disclaimer.
distribution.  documentation endorse even EVEN EVENT EXEMPLARY, EXPRESS FITNESS
following following following FOR FOR form forms, from GOODS HOLDER holder(s)
HOLDERS HOWEVER if IF IMPLIED IMPLIED in in in IN IN IN INCIDENTAL, (INCLUDING
(INCLUDING, INCLUDING, INDIRECT, INTERRUPTION) IS IS" its LIABILITY, LIABILITY,
LIABLE LIMITED LIMITED list list LOSS materials may MERCHANTABILITY met:
modification, must must name(s) names NEGLIGENCE Neither NO nor not NOT NOT
notice, notice, of of of of of OF OF OF OF OF OF OF OF ON or or OR OR OR OR OR
OR OR OR other OTHERWISE) OUT PARTICULAR permission.  permitted POSSIBILITY
prior PROCUREMENT products PROFITS; promote provided PROVIDED PURPOSE
Redistribution Redistributions Redistributions reproduce retain SERVICES; SHALL
software SOFTWARE SOFTWARE, source source SPECIAL, specific STRICT SUBSTITUTE
SUCH the the the the the the the the the the THE THE THE THE THE THEORY this
this this THIS THIS to TO, TO, TORT use USE USE, used WARRANTIES WARRANTIES,
WAY WHETHER with with without without written
License:        BSD-3-Clause
Matched files:  LICENSE
LICENSE:
  Content hash:  798aba49704005360451f942c66a1fc2358f1095
  Attribution:   Copyright (c) 2022 Adriane Boyd
  Confidence:    99.16%
  Matcher:       Licensee::Matchers::Dice
  License:       BSD-3-Clause
  Closest non-matching licenses:
    BSD-3-Clause similarity:        99.16%
    BSD-4-Clause similarity:        86.03%
    BSD-3-Clause-Clear similarity:  84.89%
lsmith77 commented 2 years ago

interesting .. that is a surprisingly/disappointing high level of confidence.

I have opened a ticket https://github.com/licensee/licensee/issues/602

adrianeboyd commented 2 years ago

I can see how the licensee license auto-detection could be useful for initial browsing in github, but for license compliance you'd need something like SPDX identifiers (which we'll add to the package license metadata in https://github.com/explosion/cython-blis/pull/84) and when dealing with full license texts you'd always need some level of human review.

lsmith77 commented 2 years ago

ok thank you for looking into this and I understand your take. licensee is clearly currently not able to handle malicious tampering, which indeed limits its use for legal compliance tracking.

at the same time, given the amount of dependencies any project has these days, it is not really realistic to rely on manual inspection. but I guess this means there is a larger challenge here yet to be solved. I guess there are some vendors that offer proprietary data for this, not sure if their data is more reliable but I guess it gives a “throat to choke”.