Looking for some real-world documentation/experiences on how OSPO handle license-tracking in 3rd-party-dependencies

[anajsana]

This discussion thread is mirrored from the TODO Slack Channel and is anonymized

I am looking for some real-world documentation/experiences on how OSPO handle license-tracking in 3rd-party-dependencies. For example, when using Boost (as library), is it the default to actually go trough all 76253 files and check for surprising copyright/license hints in the headers or is it common/acceptable practice to just trust the top-level/package-level information, LICENSE_1_0.txt in this case?

Asking because I think one would actually need to verify manually to be sure, but I have the gut feeling that many will not actually do it, trust the package level information. If so, I'd like to know the reasoning

[anajsana]

anonymous person answered:

This is a benefit to using ClearlyDefined for license information. ClearlyDefined does scan all of the files (using scancode-toolkit)

[jeffpaul]

I gave a talk at WordCamp US 2023 on how to use a GitHub Action to ensure code is GPL-compatible. While the approach is specific to the GPL license, it does highlight a way to leverage a GitHub Action to (1) scan the current codebase and (2) validate all future PRs to ensure no infringing licensed dependencies are added. Note that it relies on dependency-review-action for the source of its analysis.