When people who copy and distribute Open Source software for whatever purpose are asked what they think most hinders and limits the use of such software, they regularly answer, "Clearing a software component for distribution and correctly fulfilling the various license obligations is so much painful work." And they usually add: "It's especially painful because you know that most of the work has been done a thousand times before by others, but you can't get to the results." It seems therefore obvious to share these efforts just as the development of the software itself is shared. To do so, three prerequisites must be fulfilled:
A minimal set of clearing information must be defined, and a database must be provided to store curated data.
A platform must be established where a community can grow that creates, shares, and makes such curation data generally available.
To create trust in the reliability of the provided material, its quality must be undeniably high, requiring experienced and responsible contributors and continuous, rigorous and thorough review.
To make this happen the OSSelot project was established and a separate homepage was created. The project was launched publicly at the December COOL event. The presentations and videos from this event can be found here.
Since then, another COOL event on curation of data and the OSSelot contribution process has taken place in March 2024. Presentations and videos are available here. In September 2024, a session on tooling to integrate OSSelot data into OpenEmbedded and Yocto build systems is upcoming. Details and registration can be found on the event page.
Provided artifacts
The project data are provided in a publicly accessible repository for selected versions of software packages such as Coreboot, the Linux kernel or the OpenSSL library. Typically, three artifacts are included per package – a README file with general information, an SPDX tag:value file with curated data for every single source code file and a ready-to-use OSS disclosure file. The tag:value files can be integrated into the build process, so only the licenses of those files that are actually compiled into the build artifact and distributed need to be considered. In addition, the tag:value files contain annotations to the license conclusions to elucidate decisions that are not obvious. The OSS disclosure files contain all applicable licenses and all copyright notices for the entire package. In addition, the OSS disclosure files contain "acknowledgment text" when such acknowledgment is required by the license.
Following the principle of Open Source software development, contributions, review of existing data and bug reports are encouraged. Feedback can be given via git issues in the repository or in direct contact to infoªosadl.org. In return, any inconsistencies or problems that are found while curating data are communicated to the respective projects in the hope that future versions are improved for everyone.
License
All material that is part of the OSSelot project is licensed under CC0 1.0 Universal.
The following presentations show how the curation database can be used to facilitate license clearing of packages for which matching curation data exist and for packages with a somewhat different version e.g. after upgrading.
Click on to scroll using page-up/down keysLast modified: July 15, 2022
What is an SPDX tag:value file and what does it look like?
For now, the SPDX tag:value file format has been selected as the primary file format of this curation database. Some conversion tools to and from this format are already available, and some more will be developed during this project. The SPDX tag:value files are normally generated by clearing tools such as FOSSology, and can be imported back into such clearing tools, but are also human readable. The following section provides details about the internal structure of such a file.
SPDX tag:value file template
Header
SPDXVersion: SPDX version DataLicense: Data license
SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0
Document Information
##------------------------- ## Document Information ##------------------------- DocumentNamespace: Document namespace DocumentName: Document name SPDXID: SPDXID
##------------------------- ## Creation Information ##------------------------- Creator: Tool: Creator's tool Creator: Person: Creator's name CreatorComment: <text>Creator comment</text> Created: Date LicenseListVersion: License list version
##------------------------- ## Creation Information ##------------------------- Creator: Tool: spdx2 Creator: Person: ■■■■■■ ■■■■■ CreatorComment: <text>This document was created using license information and a generator from Fossology. It contains the license and copyright analysis of OpenSSL 3.0.5 Please check "LicenseComments" for explanations of concluded licenses</text> Created: 2022-07-06T14:58:22Z LicenseListVersion: 2.6
Package Information
##------------------------- ## Package Information ##------------------------- PackageName: Package name PackageFileName: Package file name SPDXID: SPDXRef-ID PackageDownloadLocation: Package download location PackageVerificationCode: Package verification code PackageChecksum: SHA1: SHA1 package checksum PackageChecksum: SHA256: SHA256 package checksum PackageChecksum: MD5: MD5 package checksum PackageLicenseConcluded: Package license concluded PackageLicenseDeclared: Package license declared PackageLicenseComments: <text>Package license comments</text> PackageLicenseInfoFromFiles: Package license info from files PackageCopyrightText: Package copyright text
##-------------------------- ## File Information ##--------------------------
##File
FileName: openssl-openssl-3.0.5.tar.gz/openssl-openssl-3.0.5.tar/openssl-openssl-3.0.5/crypto/LPdir_unix.c SPDXID: SPDXRef-item158855997 FileChecksum: SHA1: b50a20e6245b786afcf902b2cafd1152d574d9e1 FileChecksum: SHA256: e720e0add98c697bca79885ade847dfd43b70359da9fa5c770a4604ea4fde17a FileChecksum: MD5: fcd95dfa8a2f0e808f39822db1801cd2 LicenseConcluded: LicenseRef-Apache-2.0 OR LicenseRef-BSD-2-Clause-3185f2587757a9c63eaa83143f7c0386 LicenseComments: <text>Besides the Apache-2.0 header the following information is in the file: This file is dual-licensed and is also available under the following terms: Followed by the BSD-2-clause license text. Thus dual licensing was concluded AND NOASSERTION AND NOASSERTION </text> LicenseInfoInFile: LicenseRef-Apache-2.0 LicenseInfoInFile: LicenseRef-OpenSSL LicenseInfoInFile: LicenseRef-Dual-license LicenseInfoInFile: LicenseRef-BSD-2-Clause_REGENTS-AND-CONTRIBUTORS FileCopyrightText: <text>Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright (c) 2004, 2018, Richard Levitte <richard@levitte.org> All rights reserved.</richard@levitte.org></text>
License information per license (may occur repeatedly)
##------------------------- ## License Information ##------------------------- LicenseID: License ID LicenseName: License name ExtractedText: Verbatim copy of license test
Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] </text>
here.
infoªosadl.org. In return, any inconsistencies or problems that are found while curating data are communicated to the respective projects in the hope that future versions are improved for everyone.
