Support (company-)global license choices independently of the package or project

[porsche-rishisaxena]

Description:
During the analysis, we found there are multiple ways of curating license(s) using either curation.yml or .ort.yml. Can "License Finding", "Policy Rule Violation" and "License Choices" also be part of curation.yml as well?

Reason:
As the developers are not aware of the license model(s) and what to curate, this is a dedicated responsibility of curation team in conjunction with Legal team which will allow curation team to configure the license finding using Curation.yml

Understanding:
If there is already a way to conclude multiple licenses in Curation.yml, then we would like to understand how?

Proposal:

[MarcelBochtler]

Hi @porsche-rishisaxena, do I understand you correctly that you differentiate between the project-local .ort.yml and an ORT-global configuration possibilty?
Or is it really important for you that the curations.yml is being used?

License Choices
License choices for the .ort.yml were implemented in this PR (for reference).
In discussions in the corresponding issues we were already talking / planning to provide global license choices. But this is not yet implemented.
IMO this shouldn't be done in a curations.yml but rather in a separate licenseChoices.yml.

Resolutions
Can already be set globally: https://github.com/oss-review-toolkit/ort/blob/master/docs/config-file-resolutions-yml.md.

License finding curations
Can be set globally using package-configurations: https://github.com/oss-review-toolkit/ort/blob/master/docs/config-file-package-configuration-yml.md.

[MarcelBochtler]

Understanding:
If there is already a way to conclude multiple licenses in Curation.yml, then we would like to understand how?

Not sure if I understand this correctly. You can conclude one SPDX license expression per package ID.

You can either conclude licenses for every package in a single curations.yml file and use ORT's analyzer with --package-curations-file

- id: "Maven:com.example:package:1.2.3"
  curations:
    comment: |
      Example curation
    concluded_license: "(GPL-2.0-only OR MIT) AND Apache-2.0"

- id: "Maven:org.oss-review-tookit:another-package:0.0.0"
  curations:
    comment: |
      Another example curation
    concluded_license: "Apache-2.0"

Or use multiple yaml-files in a directory structure using ORT's analyzer option: --package-curations-dir
(the helper-cli has a function to create curations in this directory structure: https://github.com/oss-review-toolkit/ort/blob/master/helper-cli/src/main/kotlin/commands/packagecuration/CreateCommand.kt)

[porsche-rishisaxena]

Hi @MarcelBochtler,

1. Yes, we clearly differentiate between the project local and global config. The reason being, in Porsche context - we have decoupled logically the responsibility between development teams (responsible for running the analyzer) vs curation team (responsible for curating for example: packages, license findings, in-correct copyright holder names, concluding licenses).

2. Introducing LicenseChoices.yml can also be a viable solution for us. Our intent is to have a global config file controlled centrally to handle multiple license choices, part of curation process as curation team is working very closely with legal team for setting up the configuration and higher degree of re-usability on the configurations by our developers.

For Concluding licenses, thank you for the hint. We will test this in order to see expected results.

[sschuberth]

@porsche-rishisaxena is there anything left to be done / discussed as part of this issue, or can we close it?

[sschuberth]

After talking to @porsche-rishisaxena, my understanding is that the only feature request left is a global unconditional license choice, like given: MIT OR GPL-2.0-only apply always choice: MIT independently of the package or project.