Detailed software provenance disclosure

[pombredanne]

Here is a suggestion for this policy:

Given a piece of software under consideration, the provenance (aka. origin and license) of every third-party components included in that software should be well known and eventually disclosed by the provider.

The benefits are obvious: knowing the license is essential to be allowed to use the code; and knowing the detailed origin is important to evaluate the originality, quality and eventual bugs or security issues related to the software under consideration.

For that there are a few good free and open source tools that can help uncover provenance data:

• ScanCode (disclosure: I am one of the maintainers) : https://github.com/nexB/scancode-toolkit (Python)
• @bobgob Fossology : https://github.com/fossology/fossology (C/C++ and PHP)
• @dmgerman Ninka: https://github.com/dmgerman/ninka (Perl)
• @benbalter Licensee : https://github.com/benbalter/licensee (Ruby)
• @flavorjones and @mainej Licensor: https://github.com/pivotal/LicenseFinder (Ruby)