[WIP] update licenses

[MartinsNadia]

Open the new one to fix the origin branch

[eessi-bot]

Instance eessi-bot-mc-aws is configured to build for:

• architectures: x86_64/generic, x86_64/intel/haswell, x86_64/intel/skylake_avx512, x86_64/amd/zen2, x86_64/amd/zen3, aarch64/generic, aarch64/neoverse_n1, aarch64/neoverse_v1
• repositories: eessi.io-2023.06-compat, eessi-hpc.org-2023.06-software, eessi-hpc.org-2023.06-compat, eessi.io-2023.06-software

[eessi-bot]

Instance eessi-bot-mc-azure is configured to build for:

• architectures: x86_64/amd/zen4
• repositories: eessi.io-2023.06-compat, eessi-hpc.org-2023.06-compat, eessi-hpc.org-2023.06-software, eessi.io-2023.06-software

[MartinsNadia]

WIP

adding a new licenses update script PR 457;
adding draft yml file

[ocaisa]

Just had an initial look, perhaps you can add the current output of the script in a gist and link to this issue?

[ocaisa]

Should use specific version here, see other workflows

[ocaisa]

Also needs specific commit

[ocaisa]

This is not the correct branch for EESSI

[ocaisa]

Doesn't this mean that if a PR adds software, then it will trigger another PR to add the licence of the software to the yaml file? Instead, wouldn't you want to make a suggestion that they add the licence as part of the original PR?

[ocaisa]

This action is being given a lot of power at a global level, do we really need it to have write permissions? Isn't it enough that we get a notification if it fails?

[ocaisa]

Rather than auto-apply a patch, can a code suggestion be made (or a PR to the source repo using a token without write permission to EESSI)?

[ocaisa]

Duplicate file?

[ocaisa]

You are going to need to extract the software name from the easystack file, that is complicated. Perhaps instead you should add easystack (and easyconfig) support to update_licenses.py?

[ocaisa]

This could also help you decide where to look for licenses (since you have access to source_urls)

[ocaisa]

The other option is to gather software (and extension) names via Lmod and then check them against the yaml file.

[ocaisa]

Why wouldn't the PR be created? Wouldn't that mean the previous step will have failed?

[hvelab]

spare thoughts right now:

• i kept the retrieval date because the original script did so, but i dont see much sense in keeping it, I would keep the license url instead
• there are a lot of not found but i expect them to be less of them as right now some source_urls are still formatted with EB syntax but it my priority to fix it tomorrow
• need to fix the "needs manual action" part as its case sensitive right now with the "Other" licenses

[ocaisa]

How did this end up with Other? I see it is GPL v2 at https://gitlab.gnome.org/Archive/atk

[ocaisa]

Hmm, some of these are going to need some discussion. The license of this is at https://github.com/redhotpenguin/perl-Archive-Zip?tab=License-1-ov-file#readme and it is GPL1+ or an artistic licence. If we are going to put Other we'll need a link to the licence if possible and possibly another field permission_to_redistribute

[hvelab]

Agree, this is the plain response from the ecosyste.ms API: https://repos.ecosyste.ms/api/v1/repositories/lookup?url=https%3A%2F%2Fgithub.com%2Fredhotpenguin%2Fperl-Archive-Zip

Will work today on a "smarter" way to do this and to scrape other sources because there are much more not found licenses than found or other

[ocaisa]

License for this is https://github.com/apache/arrow/blob/main/LICENSE.txt ("Apache-2.0")

[ocaisa]

Apache 2.0 from https://github.com/bazelbuild/bazel/blob/master/LICENSE

[ocaisa]

MIT from https://pypi.org/project/beautifulsoup4/

[ocaisa]

https://www.ffmpeg.org/legal.html

[hvelab]

Updates:

• Fixed bug and now finds more licenses
• Now shows the real api call from where it got the license
• For the "Other" and "not found", does an scraping to go find the LICENSE file -> we need to find a way to retrieve the spdx from there
• This needs to be improved for the packages with "Others"
• For the totally "not found", shows source_urls and homepages, seems that most of them need to be sanitized or do the scraping from there, add more keywords

[hvelab]

finished doing manual checks (while watching some random movie on the TV), we would just need permission for PGPLOT (https://sites.astro.caltech.edu/~tjp/pgplot/#copyright), and for CUDA im not sure if the propietary license allows us to redistribute it
the scraper (aside from update_licenses.json) is good for an initial populate but to cover every single case is very difficult and required much more manual checks than expected, at least is done for now, for all software available in EESSI excluding extensions, which is my next focus, such as enforcing specifying the license from EB files

could try from a hook and if it fails then request the manual action? again, it's very difficult to scrape it from webpages and sometimes requires human interpretation

[laraPPr]

@ocaisa should this be closed and moved to https://github.com/EESSI/software-layer-scripts?