Checks ROS packages for correct license declaration.
Project description
ros_license_toolkit
Warning For any legal questions, please consult a lawyer. This tool is not a substitute for legal advice.
Motivation
ROS packages must have licenses. This tool checks if the license declarations in the package.xml matches the license(s) of the code. We do this by using scancode-toolkit to scan the code and compare the results to the declaration in the package.xml
Presentation
Functionality
graph TD
classDef stroke stroke:#333,stroke-width:2px;
s([scan code for licenses and copyrights])
class s stroke
p[compare to\n package.xml\nfor linting]
class p stroke
c[create\ncopyright file\nfor release]
class c stroke
s --> p
s --> c
Features
This checks:
- Is any license defined in
package.xml? - LicenseTagExistsCheck - Has at most one license tag without a source-files declaration? - LicenseTagExistsCheck
- Do all licenses tags follow the SPDX standard? - LicenseTagIsInSpdxListCheck
- Are license texts available and correctly referenced for all declared licenses? - LicenseTextExistsCheck
- Does the code contain licenses not declared in any license tags source-file attribute (source-files="src/something/**")? - LicensesInCodeCheck
Usage
Installation
Install the package from source:
pip install .
Basic Usage
You should then have the executable in your $PATH and can run it on any ROS package or a directory containing multiple ROS packages:
ros_license_toolkit my_ros_package
All Options
$ ros_license_toolkit -h
usage: ros_license_toolkit [-h] [-c] [-v] [-q] path
Checks ROS packages for correct license declaration.
positional arguments:
path path to ROS2 package or repo containing packages
options:
-h, --help show this help message and exit
-c, --generate_copyright_file
generate a copyright file
-v, --verbose enable verbose output
-q, --quiet disable most output
Using it as a GitHub action
You can use ros_license_toolkit inside your GitHub workflow in order to check licenses in your
repository in each pull request. Use the following job inside your workflow file:
jobs:
check_licenses:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: boschresearch/ros_license_toolkit@1.2.3
State of Development
WORK IN PROGRESS This is currently working and feature complete to the point it was originally intended. But there are still open points concerning testing and it is also very important to make sure how this behaves with existing ROS packages. In particular, the following things will have to be done:
To Do
- Coverage analysis
- Linter(s) per CI
- Field trials (check existing ROS packages and see what to do with the results). see field-trials/
- Allow license name in tag to be also full name of SPDX key.
- Each LicenseTag should have SPDX id.
- Single license tag without file attribute and single license text should match automatically.
- Turn into github action.
- Evaluate runtime. If scancode-toolkit takes too long on too many cases, we will have to look for an alternative.
- Idea: Create pull requests for package maintainers automatically.
- Error of
LicenseTagIsInSpdxListCheckmust be a warning
License
ros_license_toolkit is open-sourced under the Apache-2.0 license. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ros_license_toolkit-1.3.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c5f927550e4a1f3a706988258d8fca060ad6513cec90f46b0bb8654a5a02890b |
|
| MD5 | dd98303558b186329d3a17bdfd3cca9d |
|
| BLAKE2b-256 | 7b6472b599221cbf921e1e50fbba395c73433210028aa9d89ca1acef75dfe1d2 |
Hashes for ros_license_toolkit-1.3.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7662dc6419d38e35c45245a18504aed9ca4d8cdcdec4137da4d55df72d4e7e9c |
|
| MD5 | 9b8240d5bd445776ba338b2b17ec340d |
|
| BLAKE2b-256 | 00e7f9dc9f398c259373a8804c28f346db9f9164afcf3132c22ba41055614748 |
