Open fviernau opened 10 months ago
no attempt to download or scan the package's source code.
Just to capture some thought's from today's Kotlin Dev meeting: Basically we already have the skip_concluded
mechanism for this. However, skip_concluded
can only be enabled globally, and there could be cases where a concluded_license
should be combined with detected copyrights from existing scan results. This would requite to copy these detected copyrights to authors in package curations currently, which might be undesired. A work-around for this could be to look for existing copyrights in the scan storage before skip_concluded
is interpreted.
Use case:
As a lawyer reviewing scan result in context of license compliance, I want to know the set of packages for which the report blindly trusts the provided license info (e.g. declared license or SBOM), without verification (running a license scanner against the codebase), in order to better understand the risks.
(I guess security would also have a use case for such flag)
I'm having trouble understanding how "blindly trust the provided license info" equals the "no sources are available" semantics because there could be cases where the source code is available, but you still decide to not take scan results into account (or scan at all) just for simplicity of the process.
I'm having trouble understanding how "blindly trust the provided license info" equals the "no sources are available" semantics because there could be cases where the source code is available, but you still decide to not take scan results into account (or scan at all) just for simplicity of the process.
The curation should add a flag
no_sources_available
analog tois_metadata_only
with analog handling, e.g. iftrue
no attempt to download or scan the package's source code.Motivation:
is_metadata_only
[1], [2]. curations with dedicated semantics provide a better matching based on identifier instead of regex, and have clear semantics as opposed to free text resolution messages. So, the curations provide more information which can be useful for automated consumption from e.g. the policy rules.is_metadata_only
andno_sources_available
-> Because it provides more information enabling use cases like: for packages withis_metadata_only=true
it's ok ifthe package does not have license, while for
no_sources_available
it isn't.[1] https://github.com/oss-review-toolkit/ort/pull/2939 [2] https://github.com/oss-review-toolkit/ort/issues/2897