Licence check support/tooling

[mhdawson]

The OpenJS foundation has good guidance/recommendations for Licences in the IP policy. -> https://openjsf.org/wp-content/uploads/sites/84/2019/10/OpenJS-Foundation-IP-Policy-2019-10-22.pdf

It would add value if we also had a well defined way/tooling to scan/check repos for licences. I expect this would be the case for other Foundations as well.

I think checks should include:

1. Is there a licence (every repo should have one)
2. What licence is stated and that it is one allowed by IP policy, along with a way the repo can indicate it is an exception
3. No files within the repo reference a licence that is not in the IP policy

Ideally the tooling would allow a job to run periodically, that job would generate a summary and if there were new "failures" we could alert on that.

@brianwarner, @jorydotcom are you aware of any such tooling in place for any of the other Linux Foundation projects?

[mhdawson]

Discussion from CPC meeting today:

• Jordan - repo-report (done through major league hacks), scans all repos that he has access to and.
  Could add license check.
• Michael, that would be a great starting point.

Jordan will work with Michael to add license checks and we can go from there.

[ljharb]

https://github.com/ljharb/repo-report could pretty easily add a "metric" for "has a license file, with an approved license"; happy to get that added (any other kind of community health files, as well, altho it'd need to take into account the repo's org/user's .github repo)

[ShubhraKar]

In LFX, we have license reporting by the repositories, packages, referencing manifest file for the libraries used in the core project as well as packages that are listed as dependencies in the manifest files (example package.json). However we we don't have a policy engine. We can implement that quickly if the community is open to collaborating.

[rginn]

Thanks @ljharb and @ShubhraKar. I've invited Shubhra to our CPC meeting on Jan 18 to explore areas of collaboration on this tool. Cc: @mhdawson

[mhdawson]

@rginn thanks that sounds good. I think adding to the common tool would be interesting.

[mhdawson]

• Next step is for LF to respond on whether they are going to take ownership for providing something and if so, what timing would look like.

[joesepi]

This was announced and is something LF IT should consider for this sort of effort.
openjs-foundation/cross-project-council#1017 (comment)

[joesepi]

This could be good to have this sort of "checking" for two use cases:
- have the foundation run this on projects repos/org for licenses and coc and other requirements
- directions for projects (in cpc/project-resources directory) to run it themselves in their org to test regularly; as Michael Dawson said: Node.js creates repos regularly; would be good to run regularly to be sure licenses are present and acceptable

[ljharb]

This can be done in CI, with https://npmjs.com/repo-report, and a github token that has write access or higher to all the relevant repos.

[bensternthal]

Tagging in @vvalderrv and @tykeal this could be part of the infra workstream/in scope of that workstream.

[bensternthal]

Added to Jira for IT https://jira.linuxfoundation.org/browse/RELENG-4796