Project Description

Legal reviews have been a quite painful part of our development process. The current situation in Factory waits for legaldb for a limited amount of time and simply proceeds further if the review is not "approved" within a few hours.

Leap currently waits for legal review to be closed (may take weeks), or manually skipped. We typically contact our legal with ask to review specific requests on a weekly basis.

The goal is to improve our best effort on reviews in openSUSE, and ideally "shorten" the time of legal review of our packages.

Project OSSelot and related work on legal reviews seem to be funded by donations to OSADL (based in Germany). The project seems to use fossology underneath.

I highly recomemnd to start by watching OSSelot videos to get some idea about how their process and results look like. The last one seems to be closest to what I've seen in the Open Chain webinar.

GitHub repository of curated data

This project has two parts. Offloading our legal team, where possible, and contributing back.

Goal for this Hackweek

  • Contributing back results of our reviews Being a good Open Source Community Citizen and publicly sharing results of our legal reviews of community packages.

  • Offloading reviews of our community packages. There I can see extension of our existing current process. And extending our legal bot to talk to fossology/OSSelot.

An example could be Let's wait for legaldb for n-hours (currently 1-2h), if the review is still open then let's submit it to OSSelot. I see it as a much better alternative to e.g. lkocman skipping the review and taking the change in, in case that review was not closed for days/weeks.

Resources

  • We could use somebody who has experience with our legal tooling https://github.com/openSUSE/cavil and could help us export data from legaldb.suse.de to https://github.com/Open-Source-Compliance](https://github.com/Open-Source-Compliance/package-analysis/tree/main/analysed-packages)

  • A person who could tweak our existing legal bot to submit requests to fossology/osselot

Looking for hackers with the skills:

legal perl python osc obs cavil github spdx

This project is part of:

Hack Week 22

Activity

  • over 1 year ago: lkocman started this project.
  • over 1 year ago: hennevogel liked this project.
  • over 1 year ago: jzerebecki liked this project.
  • over 1 year ago: lkocman added keyword "spdx" to this project.
  • over 1 year ago: lkocman added keyword "legal" to this project.
  • over 1 year ago: lkocman added keyword "perl" to this project.
  • over 1 year ago: lkocman added keyword "python" to this project.
  • over 1 year ago: lkocman added keyword "osc" to this project.
  • over 1 year ago: lkocman added keyword "obs" to this project.
  • over 1 year ago: lkocman added keyword "cavil" to this project.
  • over 1 year ago: lkocman added keyword "github" to this project.
  • over 1 year ago: kraih liked this project.
  • over 1 year ago: lkocman liked this project.
  • over 1 year ago: lkocman originated this project.

  • Comments

    • lkocman
      over 1 year ago by lkocman | Reply

      ** An agreed first step from our call with Christopher from our legal team would be to compare our cavil report with the fossology report. Sebastian and Christopher recommended to start with comparing results of openssl**

      I'd recommend filing an OSSelot project issue containing our review data (perhaps stripped from the SUSE's RISK assestment) and have a discussion about next steps.

      *Notes: *

      What's interesting for us is the SPDX license mapping to files, we're still using mappings from before the spdx time. What's interesting to our SUSE legal is what are the criteria for rejection on the OSSelot side. I did ask and we do not have any "strategy" or "rules" rejection documented publically.

      I'm not sure if OSSelot team would be willing to work on our reviews to the level that we'd expect (to be clarified, see my note about rejection above), but having these reports public e.g. in a pull request, opens a way for volunteers with legal license background to contribute and offload SUSE legal team on community reviews.

    • lkocman
      over 1 year ago by lkocman | Reply

      Another action item from Sebastian:

      One more thing for hack week, you could take a look at a rejected review, maybe there is something they have in their data that matches (search https://legaldb.suse.de/reviews/recent for unacceptable)

      There were 11 rejected reviews in the past 3 months

    Similar Projects

    Explore the integration between OBS and GitHub by pdostal

    Project Description

    The goals:

    1) When...