Project Description

Legal reviews have been a quite painful part of our development process. The current situation in Factory waits for legaldb for a limited amount of time and simply proceeds further if the review is not "approved" within a few hours.

Leap currently waits for legal review to be closed (may take weeks), or manually skipped. We typically contact our legal with ask to review specific requests on a weekly basis.

The goal is to improve our best effort on reviews in openSUSE, and ideally "shorten" the time of legal review of our packages.

Project OSSelot and related work on legal reviews seem to be funded by donations to OSADL (based in Germany). The project seems to use fossology underneath.

I highly recomemnd to start by watching OSSelot videos to get some idea about how their process and results look like. The last one seems to be closest to what I've seen in the Open Chain webinar.

GitHub repository of curated data

This project has two parts. Offloading our legal team, where possible, and contributing back.

Goal for this Hackweek

  • Contributing back results of our reviews Being a good Open Source Community Citizen and publicly sharing results of our legal reviews of community packages.

  • Offloading reviews of our community packages. There I can see extension of our existing current process. And extending our legal bot to talk to fossology/OSSelot.

An example could be Let's wait for legaldb for n-hours (currently 1-2h), if the review is still open then let's submit it to OSSelot. I see it as a much better alternative to e.g. lkocman skipping the review and taking the change in, in case that review was not closed for days/weeks.


Looking for hackers with the skills:

legal perl python osc obs cavil github spdx

This project is part of:

Hack Week 22


  • about 12 hours ago: hennevogel liked this project.
  • about 16 hours ago: jzerebecki liked this project.
  • about 21 hours ago: lkocman added keyword "spdx" to this project.
  • 1 day ago: lkocman added keyword "legal" to this project.
  • 1 day ago: lkocman added keyword "perl" to this project.
  • 1 day ago: lkocman added keyword "python" to this project.
  • 1 day ago: lkocman added keyword "osc" to this project.
  • 1 day ago: lkocman added keyword "obs" to this project.
  • 1 day ago: lkocman added keyword "cavil" to this project.
  • 1 day ago: lkocman added keyword "github" to this project.
  • 1 day ago: kraih liked this project.
  • 1 day ago: lkocman liked this project.
  • 1 day ago: lkocman originated this project.

  • Comments

    • lkocman
      about 13 hours ago by lkocman | Reply

      ** An agreed first step from our call with Christopher from our legal team would be to compare our cavil report with the fossology report. Sebastian and Christopher recommended to start with comparing results of openssl**

      I'd recommend filing an OSSelot project issue containing our review data (perhaps stripped from the SUSE's RISK assestment) and have a discussion about next steps.

      *Notes: *

      What's interesting for us is the SPDX license mapping to files, we're still using mappings from before the spdx time. What's interesting to our SUSE legal is what are the criteria for rejection on the OSSelot side. I did ask and we do not have any "strategy" or "rules" rejection documented publically.

      I'm not sure if OSSelot team would be willing to work on our reviews to the level that we'd expect (to be clarified, see my note about rejection above), but having these reports public e.g. in a pull request, opens a way for volunteers with legal license background to contribute and offload SUSE legal team on community reviews.

    • lkocman
      about 13 hours ago by lkocman | Reply

      Another action item from Sebastian:

      One more thing for hack week, you could take a look at a rejected review, maybe there is something they have in their data that matches (search for unacceptable)

      There were 11 rejected reviews in the past 3 months

    Similar Projects

    Proof of Concept for a Perl binding to libfyaml by tinita

    Project Description

    Similar to [YAML::Lib...

    Run autoupdate-perl in CI by tinita

    Project Description

    Currently [autpupdate...

    Port the Minion job queue to TypeScript by kraih

    Project Description

    As part of the [mojo....

    Implement text based OCR in openQA by clanig

    Project Description

    Currently openQA requir...

    Dochazka by smithfarm

    Dochazka is a long-term project to replace the ...

    One of couple of Python projects (update M2Crypto) by mcepl

    There are couple of projects I work on, which n...

    zypper plugin for discovering reverse dependencies by bzoltan1

    Often when we test maintenance updates or when ...

    Give some love to spec-cleaner by kstreitova

    Project Description

    spec-cleaner is an open...

    Linux Immersive Learning System (LILS) by dgarcia

    [comment]: # (Please use the project descriptio...