[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: copyright precision


Quoting Paul Wise (2016-08-10 05:12:55)
> The only possible way to solve this in general terms is, accurate document
> the copyright/license of the source package using the machine-readable format
> and during builds, track the transformation of input files in the source
> package to output files in the binary package and then generate the
> copyright/license information for the binary package based on which input
> files from which source/binary packages ended up in the new binary package.

in the past I investigated this problem myself as well. I came to the
conclusion that with the current available techniques it is impossible to
reliable trace process execution and system calls in all scenarios (i.e. for
all source package) and without a way to reliably (and automatically) figure
out for which source packages it does work. Thus I gave up and asked this


Helmut also once wrote a proof of concept that tackled the problem of
generating linearized build logs but also ran into the problem that his
approach failed if events happened too fast.

Using ptrace we could today write a program that analyzes our builds (on Linux)
and generates the required information to extract copyright information and a
bunch of more useful and interesting data. Unfortunately this would not work
for all source packages in the archive as a ptraced process cannot execute
ptrace themselves. Maybe this problem could be alleviated by running source
package builds with nocheck as I would expect ptrace being mainly used in test
cases and not during the real build. Reproducible builds could also be used to
make sure that a ptraced build produced the same binary packages as a
non-ptraced build.

Unfortunately, because of the involved limitations, I gave up on the project.


cheers, josch

Attachment: signature.asc
Description: signature

Reply to: