Allow to curate copyrights directly (not via authors) #4519

sschuberth · 2021-09-30T09:35:38Z

adding the Copyright holder statements to the org.ossreviewtoolkit.model.PackageCurationData entity

FYI, I just pushed my local curate-copyrights branch which trivially starts doing that.

@rbieniek do you want to take over that branch of mine?

Originally posted by @sschuberth in #4463 (comment)

The text was updated successfully, but these errors were encountered:

tsteenbe · 2021-10-07T09:55:34Z

Being able to curate copyright holders would be really useful but are you thinking of implementing it in curations.yml or package configurations?

I asking as I have the following case, for Maven:org.apache.activemq:activemq-broker:5.16.2 the root LICENSE e.g. https://github.com/apache/activemq/blob/ff1af27106c74ad930c5bd12e8c0159e522efb70/LICENSE include licenses applicable for other activemq packages but not activemq-broker.

Wanted to fix this via a package configuration instead curations.yml but then I figured out that I can remove non-applicable detected licenses (BSD-3-Clause, CC-BY-2.5, CC-BY-SA-2.5, LicenseRef-scancode-cc-devnations-2.0, LicenseRef-scancode-ekioh, MIT, NOASSERTION) but I can't remove none applicable copyright statements.

I see several ways on how we can handle this case
A) If you remove a detected license by concluding the license (via package configuration or curations.yml) then associated copyright holders for licenses not in concluded will be removed. In this way ,ORT users do not have to make a lot of copyrights curations but can focus on licenses.
B)Above A) does not cover the case where copyrights are not associated to a license so we need a mechanism to other allow add and remove copyrights and/or associate copyrights to a license.

Adding this topic to ORT developer meeting agenda to reach consensus on the best way to implement curating copyright holders.

sschuberth · 2022-04-21T08:26:40Z

@rbieniek do you want to take over that branch of mine?

Ping @porsche-rbieniek and @porsche-rishisaxena as a reminder to move this forward.

…model property carrying curated copyright holders. The rationale behind this is that the german law makes a distinction between authors and copyright holders. Signed-off-by: Rainer Bieniek <[email protected]>

porsche-rbieniek · 2022-05-04T10:39:46Z

Porsche solution submitted as #5315

sschuberth · 2022-05-06T06:38:08Z

Porsche solution submitted as #5315

Please associate issues with PRs by using one of the respective keywords in one of the commits in the PR instead of manually adding comments.

In German law, the author and the copyright holder can be two seperate legal entities and therefore also need to be treated separately. Introduce a new copyright holder field that is now the primary source for copyright holder information. Authors are still only used as copyright holders if the `addAuthorsToCopyrights` option is enabled. For now, all package manager implementations set empty copyright holders. Filling the copyright holder field is left as an exercise for future actions. Right now, the only way to add copyright holders is via curations. This change resolves oss-review-toolkit#4519 Signed-off-by: Rainer Bieniek <[email protected]>

In German law, the author and the copyright holder can be two seperate legal entities and therefore also need to be treated separately. Introduce a new copyright holder field that is now the primary source for copyright holder information. Authors are still only used as copyright holders if the `addAuthorsToCopyrights` option is enabled. For now, all package manager implementations set empty copyright holders. Filling the copyright holder field is left as an exercise for future actions. Right now, the only way to add copyright holders is via curations. This change resolves oss-review-toolkit#4519. Signed-off-by: Rainer Bieniek <[email protected]>

tsteenbe · 2022-07-14T11:58:09Z

Copy-paste from July 14th, 2022 ORT developer meeting minutes in which we had a discussion on how to implement curating declared copyrights

A. Use curations to fix-up curate copyrights

The declared copyrights comes package metadata collected by ORT analyzer which can be fixed up using curations.
Note that a lot of package managers do not have copyrights fields only author, contributors, developers which in some case are "mis-used" to convey copyright information. We could implement a parseCopyrights() to from parseAuthors() find copyright statements e.g. entries starting with "copyright" or "(c)"

Below several ideas for how curating declared licenses in curations.yml could look like.

Remove a declared copyright

declared_copyright_mapping:
   "MIT": ""

Add a declared copyright

declared_copyright_mapping:
   "": "Copyright (C) 2022 John Doe"

Overwrite all declared copyrights with a single one:

declared_copyright_mapping:
   "*": ""
   "": "Copyright (C) 2022 John Doe"

Overwrite all declared copyrights with a more than one:

declared_copyright_mapping:
   "*": ""
   "": "Copyright (C) 2022 John Doe"
   "": "Copyright (C) 2019 Jane Doe"
   "": "Copyright (C) 2012 Example, Inc"

Associate declared licenses with declared copyrights:

declared_license_copyrights_mapping:
   "MIT": "Copyright (C) 2022 John Doe"
   "MIT": "Copyright (C) 2019 Jane Doe"
   "Apache-2.0": "Copyright (C) 2012 Example, Inc"

B. Use package configurations to curate detected copyrights

Introduce a copyright_finding_curation in package configurations to curate detected copyrights:

id: "NPM::ansi-styles:4.2.1"
copyright_finding_curations:
  - path: "README.md"
    start_lines: "3"
    line_count: 11
    detected_copyright: ""
    reason: "INCORRECT"
    comment: "Copyright only written on project website."
    concluded_copyright: "Copyright (C) 2022 John Doe"

d. Associate detected licenses to detected copyrights in a package configuration

id: "NPM::ansi-styles:4.2.1"
license_copyright_finding_curation:
  - license: "MIT"
    copyrights:
       - "Copyright (C) 2022 John Doe"
       - "Copyright (C) 2019 Jane Doe"
       - "Copyright (C) 2012 Example, Inc."

C. Use concluded copyright to overwrite both declared and detected

Introduce the concept of a concluded copyright? Should we introduce this, believe concluded_license should be removed from curations as it applies to both declared and detected licenses

concluded_copyright: "Copyright (C) 2022 John Doe"

In German law, the author and the copyright holder can be two seperate legal entities and therefore also need to be treated separately. Introduce a new copyright holder field that is now the primary source for copyright holder information. Authors are still only used as copyright holders if the `addAuthorsToCopyrights` option is enabled. For now, all package manager implementations set empty copyright holders. Filling the copyright holder field is left as an exercise for future actions. Right now, the only way to add copyright holders is via curations. This change resolves #4519. Signed-off-by: Rainer Bieniek <[email protected]>

In German law, the author and the copyright holder can be two separate legal entities and therefore also need to be treated separately. Introduce a new copyright holder field that is now the primary source for copyright holder information. Authors are still only used as copyright holders if the `addAuthorsToCopyrights` option is enabled. For now, all package manager implementations set empty copyright holders. Filling the copyright holder field is left as an exercise for future actions. Right now, the only way to add copyright holders is via curations. This change resolves #4519. Signed-off-by: Rainer Bieniek <[email protected]> Signed-off-by: Sebastian Schuberth <[email protected]>

In German law, the author and the copyright holder can be two separate legal entities and therefore also need to be tracked separately. Introduce a new field for declared copyrights that is now the primary source for copyright holder information. Authors are still only used as copyright holders if the `addAuthorsToCopyrights` option is enabled. For now, all package manager implementations set empty declared copyrights. Filling the declared copyrights is left as a future exercise (also see [1]). Currently, the only way to add declared copyrights is via curations. This change resolves #4519. [1]: #5504 (comment) Signed-off-by: Rainer Bieniek <[email protected]> Signed-off-by: Sebastian Schuberth <[email protected]>

Similar to the `concludedLicense` field, introduce a `concludedCopyrights` field that is to be set exclusively via a package curation [1] to override any detected copyright statements. Note that there is no such thing as *declared* copyright statements because package managers do not support them explicitly [1]. The concluded copyrights will get associated to all effective licenses; there currently is no way to curate a copyright statement for a specific license only. Behavior-wise this is no change compared to previous feature of curating authors and enabling the `addAuthorsToCopyrights` option. As a bonus, this fixes a subtle bug where previously packages might have been skipped in the scan if `authors` were set but `addAuthorsToCopyrights` was disabled. Resolves #4519. [1]: #5504 (comment) [1]: https://github.com/oss-review-toolkit/ort/blob/main/docs/config-file-curations-yml.md Signed-off-by: Rainer Bieniek <[email protected]> Signed-off-by: Sebastian Schuberth <[email protected]>

sschuberth added enhancement Issues that are considered to be enhancements model About the data model labels Sep 30, 2021

sschuberth mentioned this issue Sep 30, 2021

Make the mapping of authors to copyrights configurable #4463

Merged

sschuberth mentioned this issue Dec 16, 2021

ExperimentalScanner: Support skip options #4860

Merged

sschuberth mentioned this issue Jun 30, 2022

Separate authors and copyright holders #5504

Closed

tsteenbe changed the title ~~Allow to curate copyrights directly (not via authors)~~ Allow to curate declared copyrights directly (not via authors) Jul 14, 2022

sschuberth linked a pull request Aug 24, 2022 that will close this issue

model: Introduce a concludedCopyrights field to package curations #5680

Draft

sschuberth changed the title ~~Allow to curate declared copyrights directly (not via authors)~~ Allow to curate copyrights directly (not via authors) Sep 5, 2022

sschuberth mentioned this issue Sep 7, 2022

evaluator: Make PackageRules take a CuratedPackage #5719

Merged

This was referenced Feb 28, 2023

Stackoverflow in copyright license #6579

Closed

Allow to match Copyright garbage by Regex patterns #6592

Merged

sschuberth mentioned this issue Sep 5, 2023

Add missing values to resolved configuration #7453

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow to curate copyrights directly (not via authors) #4519

Allow to curate copyrights directly (not via authors) #4519

sschuberth commented Sep 30, 2021

tsteenbe commented Oct 7, 2021 •

edited

sschuberth commented Apr 21, 2022

porsche-rbieniek commented May 4, 2022

sschuberth commented May 6, 2022

tsteenbe commented Jul 14, 2022

Allow to curate copyrights directly (not via authors) #4519

Allow to curate copyrights directly (not via authors) #4519

Comments

sschuberth commented Sep 30, 2021

tsteenbe commented Oct 7, 2021 • edited

sschuberth commented Apr 21, 2022

porsche-rbieniek commented May 4, 2022

sschuberth commented May 6, 2022

tsteenbe commented Jul 14, 2022

tsteenbe commented Oct 7, 2021 •

edited