Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attr/version 23.1.0 #143

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Attr/version 23.1.0 #143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
285f2e9
Create OSS-disclosure.txt
AWildegger Jul 29, 2024
6c69241
Add files via upload
AWildegger Jul 29, 2024
8a9642d
Create README
AWildegger Aug 1, 2024
36f6b1c
Add files via upload
AWildegger Aug 1, 2024
3934d44
Rename README to README.md
AWildegger Aug 1, 2024
fc6c914
Merge branch 'Open-Source-Compliance:main' into attr/version-23.1.0
AWildegger Aug 1, 2024
af19bb7
Update attr-23.1.0-OSS-disclosure.txt
AWildegger Aug 1, 2024
bdf9024
Update attr-23.1.0-SPDX2TV.spdx
AWildegger Aug 1, 2024
4efc959
Add files via upload
AWildegger Aug 1, 2024
1b750fa
Merge branch 'Open-Source-Compliance:main' into attr/version-23.1.0
AWildegger Aug 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
203 changes: 203 additions & 0 deletions analysed-packages/adp_helper/version-1.6.0/OSS-disclosure.txt
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add only the anaylsis for one package in a pull request

Large diffs are not rendered by default.

949 changes: 949 additions & 0 deletions analysed-packages/adp_helper/version-1.6.0/adp_helper-1.6.0-SPDX2TV.spdx
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add only the anaylsis for one package in a pull request

Large diffs are not rendered by default.

20 changes: 20 additions & 0 deletions analysed-packages/attr/version-23.1.0/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
## Download Location

https://github.com/python-attrs/attrs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please provide here the concrete download link which is in this case most probably:

https://github.com/python-attrs/attrs/archive/refs/tags/23.1.0.tar.gz


## Package URL (purl)

pkg:github/python-attrs/attrs@23.1.0

## Creator

Kanzlei Jun on behalf of AUDI AG

## Reviewers

The information was reviewed by:


## Comment

Only the Python packages of the components have been curated, not the entire packages found in the download location.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case the same applies here as for altgraph, this is an inconsistency, which makes the analysis not usable because you have probably installed the package via "pip install" fetching the package from pypi but do you have a proof that this is exactly the same as the package specified in the download link?
To be honest and I am sorry but I cant accept such a potential source of inconsistent data.
I also did a
pip install attrs==23.1.0 in order to verify that what is installed via pip is not the package available on GitHub, in the best case it is a subset and in the worst case it contains different files or different file content (i did not verify the file hashes)

150 changes: 150 additions & 0 deletions analysed-packages/attr/version-23.1.0/attr-23.1.0-OSS-disclosure.txt
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to my comment on Altgraph the disclosure file is not in the format we expect for disclosure files. Of course you can decide to introduce addtional files but this I want to discuss upfront, furthermore the existing formats shall be still provided. I downloaded attrs from https://github.com/python-attrs/attrs/archive/refs/tags/23.1.0.tar.gz the repo link and the version number given in the README file. I analysed the package and provide for your reference my version of the disclosure document below.
What you probably find strange is that I have provided an acknowledgement although MIT does not require such thing but when you analyse the source package you will find a file called CITATION.cff in the root directroy of the pacakge with the following content:

cff-version: 1.2.0
message: If you use this software, please cite it as below.
title: attrs
type: software
authors:
given-names: Hynek
family-names: Schlawack
email: hs@ox.cx
doi: 10.5281/zenodo.6925130

This is the reason for me to provide the below given acknowledgment.
You do not list the acknowledgment and the file is not contained in the spdx files, why?

================================================================================

attrs-23.1.0

================================================================================

LICENSES

MIT

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

================================================================================

ACKNOWLEDGEMENTS

MIT

The attrs software is developed by Hynek Schlawack hs@ox.cx

Copyright notices

Copyright (c) 2015 Hynek Schlawack and the attrs contributors
Copyright (c) 2015 Hynek Schlawack

Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
PackageName: site-packages_attr-with-distinfo.zip
PackageVerificationCode: 45e2ae9a98ed6f3e439618322e6fb4d686f2a759
PackageChecksum: SHA256: 61f2e48e3aa24436c2cbbdecaad956eb13483cace929fbe0f7bb2620bac1cd30
PackageLicenseDeclared: MIT
--------

FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/__pycache__/__init__.cpython-310.pyc:
FileChecksum: SHA256: d919a5d3b72cf5cfaf82d43390b52471f00051e0d78981b24a32d82aa3389fd1
FileCopyrightText:
Copyright (c) 2015 Hynek Schlawack

LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_cmp.py:
FileChecksum: SHA256: 762314415f81220ec88c86fafa8d61b30b678eb478a9d014cffb44f20c52f7ac
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_compat.py:
FileChecksum: SHA256: 77772922eeb421b2ab2f2c0f9e2d7b45411063b32f92aa8a89fcb32791f7cd15
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_config.py:
FileChecksum: SHA256: e56f2581178fb88396bb566ea85d7cf7d7b60a65c673de7e8a9c13a45d5c114e
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/converters.py:
FileChecksum: SHA256: c5f19548f4605867329ba37915933d7f27ef09078fa85c80a56782e415cabe83
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/exceptions.py:
FileChecksum: SHA256: d194f21ff987988f6eb704d36c15ab752fdc9398e9b3d47633f7d824f5f11ff5
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/filters.py:
FileChecksum: SHA256: f6962f5ea760ea6b4bbca2086f9ea800b44ca0716741370608ee045d3735ab23
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_funcs.py:
FileChecksum: SHA256: 60cb731d148e9c5bce549edab771342bde40da55b6e870e36f2f7a4cc4c36dcd
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/__init__.py:
FileChecksum: SHA256: 7524540714554e1f9d5ccacc47fa10dd9212bb64127e1499962934dcc8dbbb7d
FileCopyrightText:
Copyright (c) 2015 Hynek Schlawack

LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_make.py:
FileChecksum: SHA256: 248c8a57e1d187721c1e2f84bce8f6770ead468a804e5c769011c5aebc59a64d
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_next_gen.py:
FileChecksum: SHA256: f2507f4b9485817d8ab1f964b0af19ca093a5c35d3a1062d2259a0777ec8f5a6
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/setters.py:
FileChecksum: SHA256: a5b09943ea44e99c630ea65f59652150579f5eda5e908538a92fd80cc2cf439d
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/validators.py:
FileChecksum: SHA256: 0b6310817eee6cbfdcb3963389b59af26d18c5d32ae7fdc2877755233b0b3be6
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/exceptions.py:
FileChecksum: SHA256: 4a50e58ba018efb7fa9f2f87ee8cbdf0e9108ecaf0f83fecba912e12b2156241
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/filters.py:
FileChecksum: SHA256: 75cfdd35ecb6f641fa28b535993d836a4abbb59de405fcc41b0cce983cf0d45f
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/__init__.py:
FileChecksum: SHA256: f7fe706956c5b3bacbaad5d9ef7b4d0ebc617b3c99f1565e5f805bbd0dc4789c
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/setters.py:
FileChecksum: SHA256: a0ac39d42ef61e1e39c13c18bc31c93fd91b89cc62321311e18e46bdda4a7474
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/validators.py:
FileChecksum: SHA256: e1a8354b2543d879b73d82a2346fcd3ad47f7bb7fcd47afa1a2365e18bd7a384
LicenseConcluded: MIT

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs-23.1.0.dist-info/licenses/LICENSE:
FileChecksum: SHA256: 882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f
FileCopyrightText:
Copyright (c) 2015 Hynek Schlawack and the attrs contributors

LicenseConcluded: MIT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As already commented in the altgraph PR I do not thnik that the text of the MIT license is licensed under MIT


--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs-23.1.0.dist-info/METADATA:
FileChecksum: SHA256: ca0970517928ef943e209e8b98f550e18f7d2894b708f2b4356f28bd7158b038
LicenseConcluded: MIT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have concluded in several cases MIT, you know that the text from the licenses which are listed in the SPDX license list are not contained per default in the SPDX files and this is also the case here. in other words license texts are missing in this document.


--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attr/_version_info.py:
FileChecksum: SHA256: 7b14aa6f76f913e7cc4ac819025130f5770ba448286cf391099a5c68482500ce
LicenseConcluded: LicenseRef-fossology-MIT-3d930e873df38b22e2f1db27007eec50

--------
FileName: site-packages_attr-with-distinfo.zip/site-packages_attr-with-distinfo/attrs/converters.py:
FileChecksum: SHA256: 7c2044765616726237b029e9524da9cf6d8662d5f3a93929e8d78ea5d23ae0f6
LicenseConcluded: LicenseRef-fossology-MIT-cf5b9f6aa02362de11792252d20b1a76
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is obviously a MIT license where you provided also a different text, than the "original" one from the SPDX license list, but I do not find any such license text in this document. Where is it?


--------


Referenced licenses:
--------------------

LicenseRef-fossology-MIT-3d930e873df38b22e2f1db27007eec50:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you wanted to conclude this license for the source files which carry:

SPDX-License-Identifier: MIT

and not the reference MIT license available in the SPDX license list

Copyright (c) 2015 Hynek Schlawack and the attrs contributors

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Loading