• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

cmd/14-Jan-2024-16,86815,488

projectmetadata/15-Dec-2024-1,051921

testfs/14-Jan-2024-156106

Android.bpD14-Jan-20244.8 KiB194179

README.mdD14-Jan-20244.1 KiB10270

condition.goD14-Jan-20243.5 KiB9753

condition_test.goD14-Jan-20241.9 KiB6844

conditionset.goD14-Jan-20245.4 KiB190128

conditionset_test.goD14-Jan-202421.1 KiB646600

doc.goD14-Jan-20243.5 KiB851

go.modD15-Dec-2024223 129

go.workD15-Dec-2024514 1916

graph.goD14-Jan-202416.3 KiB528277

noticeindex.goD14-Jan-202417.5 KiB650533

policy_policy.goD14-Jan-202410 KiB256124

policy_policy_test.goD14-Jan-202411.7 KiB306284

policy_resolve.goD14-Jan-20246 KiB17593

policy_resolve_test.goD14-Jan-202420.9 KiB673647

policy_resolvenotices.goD14-Jan-2024803 225

policy_resolvenotices_test.goD14-Jan-202416.9 KiB437420

policy_resolveprivacy.goD14-Jan-2024823 225

policy_resolveprivacy_test.goD14-Jan-20242.4 KiB8871

policy_resolveshare.goD14-Jan-2024822 225

policy_resolveshare_test.goD14-Jan-20248.6 KiB276259

policy_shareprivacyconflicts.goD14-Jan-20242.8 KiB7946

policy_shareprivacyconflicts_test.goD14-Jan-20243.8 KiB12496

policy_shipped.goD14-Jan-20241.4 KiB5531

policy_shipped_test.goD14-Jan-20244.1 KiB144124

policy_walk.goD14-Jan-20247.5 KiB263182

policy_walk_test.goD14-Jan-202448.8 KiB1,6221,571

readgraph.goD14-Jan-20247.9 KiB296195

readgraph_test.goD14-Jan-20244.6 KiB153132

resolution.goD14-Jan-20244.5 KiB15089

resolutionset.goD14-Jan-20244.9 KiB14471

resolutionset_test.goD14-Jan-20244 KiB13388

test_util.goD14-Jan-202417.1 KiB554424

README.md

1# Compliance
2
3<!-- Much of this content appears too in doc.go
4When changing this file consider whether the change also applies to doc.go -->
5
6Package compliance provides an approved means for reading, consuming, and
7analyzing license metadata graphs.
8
9Assuming the license metadata and dependencies are fully and accurately
10recorded in the build system, any discrepancy between the official policy for
11open source license compliance and this code is **a bug in this code.**
12
13## Naming
14
15All of the code that directly reflects a policy decision belongs in a file with
16a name begninning `policy_`. Changes to these files need to be authored or
17reviewed by someone in OSPO or whichever successor group governs policy.
18
19The files with names not beginning `policy_` describe data types, and general,
20reusable algorithms.
21
22The source code for binary tools and utilities appears under the `cmd/`
23subdirectory. Other subdirectories contain reusable components that are not
24`compliance` per se.
25
26## Data Types
27
28A few principal types to understand are LicenseGraph, LicenseCondition, and
29ResolutionSet.
30
31### LicenseGraph
32
33A LicenseGraph is an immutable graph of the targets and dependencies reachable
34from a specific set of root targets. In general, the root targets will be the
35artifacts in a release or distribution. While conceptually immutable, parts of
36the graph may be loaded or evaluated lazily.
37
38Conceptually, the graph itself will always be a directed acyclic graph. One
39representation is a set of directed edges. Another is a set of nodes with
40directed edges to their dependencies.
41
42The edges have annotations, which can distinguish between build tools, runtime
43dependencies, and dependencies like 'contains' that make a derivative work.
44
45### LicenseCondition
46
47A LicenseCondition is an immutable tuple pairing a condition name with an
48originating target. e.g. Per current policy, a static library licensed under an
49MIT license would pair a "notice" condition with the static library target, and
50a dynamic license licensed under GPL would pair a "restricted" condition with
51the dynamic library target.
52
53### ResolutionSet
54
55A ResolutionSet is an immutable set of `AttachesTo`, `ActsOn`, `Resolves`
56tuples describing how license conditions apply to targets.
57
58`AttachesTo` is the trigger for acting. Distribution of the target invokes
59the policy.
60
61`ActsOn` is the target to share, give notice for, hide etc.
62
63`Resolves` is the set of conditions that the action resolves.
64
65For most condition types, `ActsOn` will be the target where the condition
66originated. For example, a notice condition policy means attribution or notice
67must be given for the target where the condition originates. Likewise, a
68proprietary condition policy means the privacy of the target where the
69condition originates must be respected. i.e. The thing acted on is the origin.
70
71Restricted conditions are different. The infectious nature of restricted often
72means sharing code that is not the target where the restricted condition
73originates. Linking an MIT library to a GPL library implies a policy to share
74the MIT library despite the MIT license having no source sharing requirement.
75
76In this case, one or more resolution tuples will have the MIT license module in
77`ActsOn` and the restricted condition originating at the GPL library module in
78`Resolves`. These tuples will `AttachTo` every target that depends on the GPL
79library because shipping any of those targets trigger the policy to share the
80code.
81
82## Processes
83
84### ReadLicenseGraph
85
86The principal means to ingest license metadata. Given the distribution targets,
87ReadLicenseGraph populates the LicenseGraph for those root targets.
88
89### NoticeIndex.IndexLicenseTexts
90
91IndexLicenseTexts reads, deduplicates and caches license texts for notice
92files. Also reads and caches project metadata for deriving library names.
93
94The algorithm for deriving library names has not been dictated by OSPO policy,
95but reflects a pragmatic attempt to comply with Android policy regarding
96unreleased product names, proprietary partner names etc.
97
98### projectmetadata.Index.MetadataForProjects
99
100MetadataForProjects reads, deduplicates and caches project METADATA files used
101for notice library names, and various properties appearing in SBOMs.
102