Project Description

Legal reviews have been a quite painful part of our development process. The current situation in Factory waits for legaldb for a limited amount of time and simply proceeds further if the review is not "approved" within a few hours.

Leap currently waits for legal review to be closed (may take weeks), or manually skipped. We typically contact our legal with ask to review specific requests on a weekly basis.

The goal is to improve our best effort on reviews in openSUSE, and ideally "shorten" the time of legal review of our packages.

Project OSSelot and related work on legal reviews seem to be funded by donations to OSADL (based in Germany). The project seems to use fossology underneath.

I highly recomemnd to start by watching OSSelot videos to get some idea about how their process and results look like. The last one seems to be closest to what I've seen in the Open Chain webinar.

GitHub repository of curated data

This project has two parts. Offloading our legal team, where possible, and contributing back.

Goal for this Hackweek

  • Contributing back results of our reviews Being a good Open Source Community Citizen and publicly sharing results of our legal reviews of community packages.

  • Offloading reviews of our community packages. There I can see extension of our existing current process. And extending our legal bot to talk to fossology/OSSelot.

An example could be Let's wait for legaldb for n-hours (currently 1-2h), if the review is still open then let's submit it to OSSelot. I see it as a much better alternative to e.g. lkocman skipping the review and taking the change in, in case that review was not closed for days/weeks.

Resources

  • We could use somebody who has experience with our legal tooling https://github.com/openSUSE/cavil and could help us export data from legaldb.suse.de to https://github.com/Open-Source-Compliance](https://github.com/Open-Source-Compliance/package-analysis/tree/main/analysed-packages)

  • A person who could tweak our existing legal bot to submit requests to fossology/osselot

Looking for hackers with the skills:

legal perl python osc obs cavil github spdx

This project is part of:

Hack Week 22

Activity

  • over 1 year ago: lkocman started this project.
  • over 1 year ago: hennevogel liked this project.
  • over 1 year ago: jzerebecki liked this project.
  • over 1 year ago: lkocman added keyword "spdx" to this project.
  • over 1 year ago: lkocman added keyword "legal" to this project.
  • over 1 year ago: lkocman added keyword "perl" to this project.
  • over 1 year ago: lkocman added keyword "python" to this project.
  • over 1 year ago: lkocman added keyword "osc" to this project.
  • over 1 year ago: lkocman added keyword "obs" to this project.
  • over 1 year ago: lkocman added keyword "cavil" to this project.
  • over 1 year ago: lkocman added keyword "github" to this project.
  • over 1 year ago: kraih liked this project.
  • over 1 year ago: lkocman liked this project.
  • over 1 year ago: lkocman originated this project.

  • Comments

    • lkocman
      over 1 year ago by lkocman | Reply

      ** An agreed first step from our call with Christopher from our legal team would be to compare our cavil report with the fossology report. Sebastian and Christopher recommended to start with comparing results of openssl**

      I'd recommend filing an OSSelot project issue containing our review data (perhaps stripped from the SUSE's RISK assestment) and have a discussion about next steps.

      *Notes: *

      What's interesting for us is the SPDX license mapping to files, we're still using mappings from before the spdx time. What's interesting to our SUSE legal is what are the criteria for rejection on the OSSelot side. I did ask and we do not have any "strategy" or "rules" rejection documented publically.

      I'm not sure if OSSelot team would be willing to work on our reviews to the level that we'd expect (to be clarified, see my note about rejection above), but having these reports public e.g. in a pull request, opens a way for volunteers with legal license background to contribute and offload SUSE legal team on community reviews.

    • lkocman
      over 1 year ago by lkocman | Reply

      Another action item from Sebastian:

      One more thing for hack week, you could take a look at a rejected review, maybe there is something they have in their data that matches (search https://legaldb.suse.de/reviews/recent for unacceptable)

      There were 11 rejected reviews in the past 3 months

    Similar Projects

    Grab precise changes in log file/s between system events by smhalas

    [comment]: # (Please use the project descriptio...


    opensuse-redir-cache by bmwiedemann

    [comment]: # (Please use the project descriptio...


    A quantum physics experiment puzzle (designed with Google's CP-SAT solver) by moio

    [![link to video player demoing the result](htt...


    Testing and adding GNU/Linux distributions on Uyuni by juliogonzalezgil

    Join the Gitter channel! [https://gitter.im/uy...


    Grab precise changes in log file/s between system events by smhalas

    [comment]: # (Please use the project descriptio...


    Script that loads dummy data into HANA database for testing purposes. by rangelino

    [comment]: # (Please use the project descriptio...


    Saline (state deployment control and monitoring tool for SUSE Manager/Uyuni) by vizhestkov

    [comment]: # (Please use the project descriptio...


    Elixir LiveView clone of Etherpad (running on ALP) by socon

    Project Description

    Etherpad (etherpad.org)...


    Support for OVA build in OBS and better support for vmdk disks in kiwi by gmoro

    Project Description

    Implement support for O...


    Adapt Bootstrap code in OBS to support theming by enavarro_suse

    Project Description

    After the release of ...


    Reduce the amount of TODOs for RuboCop in OBS by enavarro_suse

    Project Description

    The OBS project has a...


    Improve database_cleaner.rb script in OBS by enavarro_suse

    Project Description

    There is some code to...


    Avahi Integration and Network Connection by vojha

    Avahi Integration and Network Connection

    ...


    Deep clean-up of the Uyuni documentation files by omaric

    Project Description

    This project is plann...


    Test Results for openQA on GitHub by livdywan

    Project Description

    Jobs in openQA are us...


    Collect flaky test cases identified by the team in a GitHub board and highlight them in the Test report by oscar-barrios

    Project Description

    Flaky tests: Th...