[PATCH] Add SPDX generation target

Ian Wienand ianw at vmware.com
Wed Sep 19 22:16:11 UTC 2012 

Hi,

SPDX [1] is a machine-readable specification for copyright
information.  I dare say any one of us developers who have to deal
with corporate legal departments is probably very happy with the idea
of standardised and machine readable copyright information which can
be integrated into build infrastructures and verification tools.  If
the SPDX presentation is to be believed, there is broad interest in
the format [2].  Given busybox must be one of the most passed-around
GPL components, it seems to make sense to try and support the effort.

This patch adds a "make spdx" target which creates a COPYRIGHT.spdx
file in tag/value format as per the SPDX 1.1 spec [3].  By way of
validation, I have run the generated output through the tag-to-RDF
generator provided by the SPDX tools distribution [4] and it works.

This should be considered a good starting point.  For example, I know
several parts of busybox have been pulled out of other projects
originally, and the SPDX file-format has ways of specifying this
detailed information.  If there is interest, we could do more work to
tag individual source files and have the generated SPDX be even more
descriptive.

Thanks,

-i

[1] http://www.spdx.org
[2] http://www.spdx.org/system/files/spdx_slides_v2_9.ppt
[3] http://www.spdx.org/spec
[4] http://www.spdx.org/content/tools

Signed-off-by: Ian Wienand <ianw at vmware.com>
---
 Makefile.custom                 |    5 ++
 scripts/COPYRIGHT.spdx.template |   26 +++++++++++
 scripts/create-spdx             |   91 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 122 insertions(+), 0 deletions(-)
 create mode 100644 scripts/COPYRIGHT.spdx.template
 create mode 100755 scripts/create-spdx

diff --git a/Makefile.custom b/Makefile.custom
index 6da79e6..8c8abf4 100644
--- a/Makefile.custom
+++ b/Makefile.custom
@@ -109,6 +109,11 @@ bigdata: busybox_unstripped
 .PHONY: doc
 doc: docs/busybox.pod docs/BusyBox.txt docs/busybox.1 docs/BusyBox.html
 
+# Something like a SPDX file
+.PHONY: spdx
+spdx: 
+	@$(srctree)/scripts/create-spdx $(srctree) $(objtree)/COPYRIGHT.spdx
+
 # FIXME: Doesn't belong here
        cmd_doc =
  quiet_cmd_doc = $(Q)echo "  DOC     $(@F)"
diff --git a/scripts/COPYRIGHT.spdx.template b/scripts/COPYRIGHT.spdx.template
new file mode 100644
index 0000000..f36a1f7
--- /dev/null
+++ b/scripts/COPYRIGHT.spdx.template
@@ -0,0 +1,26 @@
+SPDXVersion: SPDX-1.1
+DataLicense: CC0-1.0
+
+##
+##  Busybox SPDX Copyright Info
+##
+
+## Creation Information
+Creator: Tool: Busybox
+Created: %CREATED_TIMESTAMP%
+CreatorComment: <text>Generated by Busybox build infrastructure</text>
+
+## Package Information
+PackageName: Busybox
+PackageVersion: %BUSYBOX_VERSION%
+PackageDescription: <text>BusyBox: The Swiss Army Knife of Embedded Linux</text>
+PackageDownloadLocation: git://busybox.net/busybox.git
+PackageVerifcationCode: %PACKAGE_VERIFICATION_CODE%
+
+PackageCopyrightText: <text>BusyBox is copyrighted by many authors between 1998-2012
+Licensed under GPLv2. See source distribution for detailed copyright notices</text>
+
+PackageLicenseDeclared: GPL-2.0
+PackageLicenseConcluded: GPL-2.0
+
+PackageLicenseInfoFromFiles: GPL-2.0
diff --git a/scripts/create-spdx b/scripts/create-spdx
new file mode 100755
index 0000000..ffa6a97
--- /dev/null
+++ b/scripts/create-spdx
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Generate a SPDX tag/value file for busybox source files.
+
+# For more information on the SPDX file format, including downloads
+# for the tools to turn the output into RDF, etc, see:
+#  http://www.spdx.org/
+
+if [ $# -ne 2 ]; then
+    echo "usage: create-spdx src-tree output-file"
+    echo "  tool will create template COPYRIGHT.spdx in output-file"
+    exit 1
+fi
+
+SRC_DIR="$1/"
+DEST_FILE=$2
+
+# Get the verison
+if [ ! -f "${SRC_DIR}/Makefile" ]; then
+    echo "Can't find top-level makefile"
+    exit 1
+fi
+BUSYBOX_VERSION=$(egrep '^VERSION =|^PATCHLEVEL =|^SUBLEVEL =' "${SRC_DIR}/Makefile" | sed 's/^.*= //' | tr '\n' '.')
+BUSYBOX_VERSION=${BUSYBOX_VERSION%?}
+echo "** Determined version ${BUSYBOX_VERSION}"
+
+# copy template into objdir
+if [ ! -f "${SRC_DIR}/scripts/COPYRIGHT.spdx.template" ]; then
+    echo "Can't find SPDX template"
+    exit 1
+fi
+echo "** Creating ${DEST_FILE}"
+cp "${SRC_DIR}/scripts/COPYRIGHT.spdx.template" "${DEST_FILE}"
+
+# replace template strings
+sed "s/%BUSYBOX_VERSION%/${BUSYBOX_VERSION}/" "${DEST_FILE}" > "${DEST_FILE}.tmp"
+mv "${DEST_FILE}.tmp" "${DEST_FILE}"
+
+DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+sed "s/%CREATED_TIMESTAMP%/${DATE}/" "${DEST_FILE}" > "${DEST_FILE}.tmp"
+mv "${DEST_FILE}.tmp" "${DEST_FILE}"
+
+# make a list of all likely source files
+SRC_FILES=$(find ${SRC_DIR} -type f -name '*.c' -print0 | xargs --null)
+
+# Now output some info for each source file.  There are additional
+# things we could do here; such as marking the "ArtifactOfProjectName"
+# for the various bits that have come from other open source projects,
+# or getting more copyright info, etc.  Possibly in the future source
+# files could have this info pre-tagged and we just concatenate it in
+# this step.
+
+echo -e "\n\n# autogenerated file info\n\n" >> "${DEST_FILE}"
+
+for f in ${SRC_FILES}
+do
+
+    echo "** Processing : ${f#SRC_DIR}"
+
+    chksum=$(sha1sum ${f} | awk '{print $1}')
+
+    # usually this is in a C comment and has *'s prepended, so just
+    # strip off anything before "Copyright"
+    copyright=$(grep 'Copyright' ${f} | sed 's/^.*Copyright/Copyright/')
+
+    echo "FileName: ${f#$SRC_DIR}" >> "${DEST_FILE}"
+    echo "FileType: SOURCE" >> "${DEST_FILE}"
+    echo "FileChecksum: SHA1: ${chksum}" >> "${DEST_FILE}"
+    echo "LicenseConcluded: GPL-2.0" >> "${DEST_FILE}"
+    echo "LicenseInfoInFile: NOASSERTION" >> "${DEST_FILE}"
+    if [ -n "${copyright}" ]; then
+        echo "FileCopyrightText: <text>${copyright}</text>" >> "${DEST_FILE}"
+    else
+        echo "FileCopyrightText: NONE" >> "${DEST_FILE}"
+    fi
+    echo  >> "${DEST_FILE}"
+
+done
+
+# the algorithm in the spec for "package verification" is to take all
+# the sha1 sums of the files, sort them, remove the newlines then take
+# the sha1 hash of that
+echo "** Creating verification hash"
+VER_FILE=$(tempfile)
+grep '^FileChecksum' "${DEST_FILE}" | awk '{print $3}' | sort | tr -d '\n' > "${VER_FILE}"
+VER_HASH=$(sha1sum "${VER_FILE}" | awk '{print $1}')
+rm -f "${VER_FILE}"
+sed "s/%PACKAGE_VERIFICATION_CODE%/${VER_HASH}/" "${DEST_FILE}" > "${DEST_FILE}.tmp"
+mv "${DEST_FILE}.tmp" "${DEST_FILE}"
+
+echo "** Done!"
\ No newline at end of file
-- 
1.7.4.1

More information about the busybox mailing list