[RFC] Licence tracking in Baserock

Adam Coldrick adam.coldrick at codethink.co.uk
Fri Feb 6 14:01:38 GMT 2015

Hi all,

At the meetup yesterday we had a BoF session regarding licence tracking
in Baserock. I'll attempt to summarise the points and actions that came
out of that session here.

We decided that the aim of licence tracking in Baserock for now should
be to produce information on the licences imposed on components rather
than to try to add some intelligence around the implications of these

We would like to be able to go from a set of definitions to a warrant
which lists the licences imposed on components in that set of

We decided that this warrant should be an SPDX document as we believe
that to be the best syntax currently, and no-one in the group disagreed.
Also, there is an amount of existing tooling for generating SPDX
warrants from source code repositories and tooling to read SPDX
documents and generate reports.

It was also suggested that a long-term goal should be to have our source
code management system store some set of warrants for any given git
repository, and be able to show the delta between the warranted state
(i.e. the state when it was recieved) and the current state.

We also decided that we should state the following once we begin
generating these warrants:

We are machine generating a warrant of the licencing from the source
code in SPDX.

# Actions

We assembled the following list of actions:

* Make our licence checking script use SPDX tooling to generate an SPDX
  warrant from each repository mentioned in the definitions repository.
* Cache this information and have the ability to get the warrants for
  individual repositories later.
* Generate warrants for all systems built by Mason each time Mason runs.
* Write a warrant for Baserock tooling.
* Decide on a licence for content on wiki.baserock.org.
* Check if the content on wiki.baserock.org is automatically copyright
  the author, and if not find out what it is.

Please feel free to raise any issues and comments you have with what we
discussed. If you were there and feel like I've misrepresented anything
that was said, do tell me!

Best regards,


More information about the baserock-dev mailing list