-
-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider detected copyrights when determining a declared holder from a package manifest in summary plugin #2972
Comments
It also may not behoove us to use the package authors as a copyright holder when we do not detect an explicit copyright statement from package data. |
Signed-off-by: Jono Yang <[email protected]>
* Update expected test results * TODO: consider not converting common company names to a canonical form Signed-off-by: Jono Yang <[email protected]>
@DennisClark @tdruez @pombredanne When removing the code that assigns the author or other detected parties from a Package as the declared holder, I noticed that the tallies plugins does some sort of normalization on the detected holders from Resources in the codebase. The majority of the files have Should we remove this normalization of holders to a canonical form? Normalizing and grouping the related holders together helps with getting a good count of how many times a particular holder shows up, especially when there are many different forms of copyright statements for that holder. However, it can become confusing when someone wants to verify the summary results and they cannot find the declared holder in files because the detected holder value was changed. |
@JonoYang I am not convinced that using an author value for Holder when there is no copyright detected is a good thing, although I don't feel strongly about it. However, I vaguely recall some community discussion on this topic, where someone strongly asserted that author is NOT equivalent to copyright, so there is definitely a case for not using it at all for a Holder. As far as "normalizing" the holder goes, it is a nice feature if we can still point back to the original somehow. |
I've removed the code that uses the Package authors/maintainers as a holder when no copyright is detected.
Maybe we can have a list of the original holder values when we present the tallies of holders?
I'm not sure what the best name for that field would be. |
Signed-off-by: Jono Yang <[email protected]>
* Update expected test results * TODO: consider not converting common company names to a canonical form Signed-off-by: Jono Yang <[email protected]>
* If no explicit copyright was detected from Package datafiles, then we take the holder detections from those files instead Signed-off-by: Jono Yang <[email protected]>
After discussion with @pombredanne, it would make sense to just use the company/organization name itself without any of the suffixes. |
That does make sense for this case, but this Google example seems to be a relatively easy one. There will be many other cases where the relationship among holders is not evident in the names. There is really no way for us to figure this out from a set of copyright holder names beyond these simple cases. What would be interesting is to know the holder best associated with the primary license. |
Signed-off-by: Jono Yang <[email protected]>
* Update expected test results Signed-off-by: Jono Yang <[email protected]>
Signed-off-by: Jono Yang <[email protected]>
Signed-off-by: Jono Yang <[email protected]>
Signed-off-by: Jono Yang <[email protected]>
Consider only copyrights in summry #2972
Signed-off-by: Jono Yang <[email protected]>
* Update expected test results * TODO: consider not converting common company names to a canonical form Signed-off-by: Jono Yang <[email protected]>
* If no explicit copyright was detected from Package datafiles, then we take the holder detections from those files instead Signed-off-by: Jono Yang <[email protected]>
Signed-off-by: Jono Yang <[email protected]>
* Update expected test results Signed-off-by: Jono Yang <[email protected]>
Signed-off-by: Jono Yang <[email protected]>
When scanning the package
atheris v 2.0.11
(https://github.com/google/atheris/archive/refs/tags/2.0.11.tar.gz) using the--summary
plugin, thedeclared_holder
value in the scan summary isBitshift
, which is the author of the package. This was determined from the parsed package data from thesetup.py
file ofatheris
. However, thesetup.py
contains a comment that is a copyright statement with the actual copyright holders. The summary plugin should be updated to also consider copyrights detected by the copyright scanner. This value should take precedence over authors.The text was updated successfully, but these errors were encountered: