Validate license values

[shr-project]

This PR was motivated by this issue in superflore:
ros-infrastructure/superflore#271
superflore tries to unify at least some values to more common license identifier, but because https://www.ros.org/reps/rep-0149.html#license-multiple-but-at-least-one isn't very strict about the values and people got quite creative here and the regular expressions in superflore are in some cases "inventing" extra information like mapping "LGPL" to "LGPL-2" and in worse cases plain wrong mapping "LGPLv3" to "LGPL-2".

Superflore or any other tool, cannot guess what LGPL version developer had in mind when it isn't specified in the package.xml. Because it would need to at least investigate the actual sources for license headers there.

Instead of trying to improve the license value later, we need to warn the developer when the provided value cannot be unambiguously parsed and ask him to improve it in the package.xml in the source repo. To help with that we can show the correct value (of corresponding SPDX identifier) we've assigned from the provided license value.

And to make sure that these assigned SPDX identifiers don't do any guessing or match to too wide range of values (like in superflore) lets map them by exact string from the values currently being used in any component currently listed in rosdistro index. That way these assignments are easy to maintain and not error-prone.

Then we can take the same set of exact assignments from here and add it "temporarily" in superflore, that way the licenses which are currently incorrectly guessed will be fixed while not regressing to completely free form of license values. This is implemented in ros-infrastructure/superflore#279

rosdistro CI validation already checks for license tag existence, we can easily extend it to call this validation as well as implemented in: ros/rosdistro#26601 I've used this validation to easily get a list of all license values from all components currently listed in rosdistro index.

Some commonly used values (and some more creative):

• 4711x "BSD" unfortunately without a version, (most people who don't care about license in package.xml, probably just left the default value)
• 741x "Apache 2.0" almost SPDX, just the dash missing, possibly because it's shown as first example in https://www.ros.org/reps/rep-0149.html#license-multiple-but-at-least-one
• 81x "LGPL" unfortunately without a version
• 77x "LGPLv3"
• 75x "GPLv3"
• 73x "BSD 3-Clause"
• 63x "GPL" unfortunately without a version
  ...
• 31x "TODO"
• "WTF", "Version 2.0", "T.D.B", "See license.txt", "Check author's website", "N/A", ...
• "free for research or education purpose, all rights maintained by David Applegate, William Cook, Sanjeeb Dash, and Monika Mevenkamp"
• "TERMS OF USE FOR GUNDAM RESEARCH OPEN SIMULATOR Attribution-NonCommercial-ShareAlike"
• "United States Government Purpose"

[130s]

Great functionality! I was/am irritated by license values inconsistently named when I'm working on things like ros-infrastructure/rospkg#201. I like the direction of the feature is going. I'm not a maintainer and not so sure about the direction of the implementation though.

[130s]

I don't have an answer, but I'm afraid embedding a (huge) list of license names can be a maintenance burden (I saw you described how you made it, but still would require manual invocation in the future when updating the list is needed. Also as a disclaimer, I'm not a maintainer on this repo). Wish there's a standalone tool that provides such a list.

[shr-project]

Well, my hope is that this list is only temporary and component owners will start using valid identifiers in package.xml and eventually only the validation function will stay and all the replacements won't be needed. So the only maintenance should be to drop it in some far future.

[shr-project]

Also the list isn't complete (and cannot be), because on of the most common issues is using license like LGPL without a version, but here without checking the actual component source we cannot replace it with anything more accurate, all we can do is to show and warning and hope that the owner will improve the package.xml.

I still plan to extend the list to cover most common cases of listing multiple licenses in one tag instead of using multiple of them - just using & as separator - together with slightly different warning message suggesting to split them into multiple tags.

[gavanderhoorn]

Well, my hope is that this list is only temporary and component owners will start using valid identifiers in package.xml and eventually only the validation function will stay and all the replacements won't be needed. So the only maintenance should be to drop it in some far future.

that would be great, but I would say this is not something we can expect (ie, the: "component owners will start using valid identifiers in package.xml and eventually only the validation function will stay and all the replacements won't be needed" part).

As of today, there are 5946 packages in the ros/rosdistro db alone, with many more not registered anywhere (ie: hosted somewhere publicly but not part of a distribution). Many of those packages are old and will not be updated, but even the more recent ones will have a significant nr which will not be updated.

If you add this list, I expect it to be necessary for at least until Noetic EOLs, and probably also for a few ROS 2 versions (if you intend to add this functionality to a ROS 2 tool as well). We're talking 5+ years here.

[shr-project]

Yes, that's the far future for removal, but in the meantime we shouldn't need to update the list.

The replacements are just to have some immediate improvements where possible, while showing the corresponding SPDX in warning message. And not to regress from what superflore currently does with regexp replacements.

It's not meant to be perfect and it cannot be without parsing the actual source files with something like scancode-toolkit, because in some cases the valid identifier in package.xml doesn't match with the actual license and catkin_pkg nor superflore could detect that (even to show another warning).

[cottsay]

This seems like it might be better suited for inclusion in catkin_lint. Any thoughts on that?

[shr-project]

This seems like it might be better suited for inclusion in catkin_lint. Any thoughts on that?

I've added it to catkin_pkg only because rosdistro CI github action uses it to validate version, so I've used the same mechanism for license validation, but if more people will notice the warnings from catkin_lint then definitely it should be there (as well).

[dirk-thomas]

@shr-project Atm the PR is in draft state and has no description. Therefore I am not going to review the patch. Please add a very detailed description about what the patch is doing, why it is doing so, what the side effects are, why you think those are justified, etc.

On a first look this adds new warnings to a lot of existing packages. This on its own for already released distros is an almost guaranteed no-go.

[shr-project]

@shr-project Atm the PR is in draft state and has no description. Therefore I am not going to review the patch. Please add a very detailed description about what the patch is doing, why it is doing so, what the side effects are, why you think those are justified, etc.

It was in draft state, because I wanted to add separate warning for license values which include multiple licenses (instead of using multiple separate license tags). I've added another commit for that now and added description.

Please let me know if it makes more sense to you now.

On a first look this adds new warnings to a lot of existing packages. This on its own for already released distros is an almost guaranteed no-go.

Are developers used to use https://github.com/fkie/catkin_lint ? Would showing warning about strange license texts in components from released distros be OK if done in catkin_lint?

[cottsay]

Would showing warning about strange license texts in components from released distros be OK if done in catkin_lint?

It's certainly not a hill I'm willing to die on, but in my opinion, the warning and error messages coming out of catkin_pkg should be more along the lines of syntax, structure, or schema-level problems in the manifests - problems that could reasonably prevent accurate processing of the manifest by catkin_pkg itself, or another system that depends on catkin_pkg. It isn't a perfect parallel, but I'll note that many Linux distributions document what precise representation should be used to refer to specific licenses, but few enforce this in the packaging system itself (i.e. deb/rpm as opposed to linters and test automation).

To be clear: I think this is an excellent thing to do, I'm just not convinced catkin_pkg is the right tool for the job. I would love to see it in catkin_lint, and I would love to see widespread adoption of catkin_lint in a GitHub Action.

[shr-project]

I'm working on very similar PR for catkin_lint as well now :).

I only work with ROS when working on meta-ros, I've never used ROS as a regular developer, so I don't know what's the usual work flow for people who write package.xml. If it's common that they run catkin_lint (or that Github Actions runs it for them), then I agreed that's definitely the place where it should be validated.

[gavanderhoorn]

@cottsay wrote:

I would love to see it in catkin_lint, and I would love to see widespread adoption of catkin_lint in a GitHub Action.

industrial_ci supports catkin_lint runs natively and can be used as a GH Action.

@shr-project wrote:

If it's common that they run catkin_lint

can't speak for everyone, but I have quite a few industrial_ci configurations which have CATKIN_LINT=true.