#10426 Setting up Cavil for automated legal checks for packages
Closed: Upstream 7 months ago by kevin. Opened 2 years ago by ngompa.

Describe what you would like us to do:


As part of trying to add more automation and improve the quality of packaging and software shipped in Fedora, we'd like to deploy Cavil to allow us to build integrations to do legal checks/reviews on PRs and new package reviews.

This was discussed at Flock 2019 but never turned into a ticket until now, as I was reminded about this today. :sweat_smile:

This would involve packaging up Cavil and getting it to run on Fedora Infrastructure, writing an integration for providing feedback in PRs on src.fedoraproject.org and package review tickets in Bugzilla.

When do you need this to be done by? (YYYY/MM/DD)


At some point in the near future, I suppose.


2019 spot is very supportive of this. 2021 spot has no opinion on legal issues in Fedora. :)

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-gain, medium-trouble, mini-initiative

2 years ago

[backlog refinement]
Fedora Infra is still interested in deploying this. But there are few questions that need to be answered @ngompa:

  • Who will maintain this?
  • Is Cavil packaged in Fedora or should it be deployed directly in OpenShift from Github?
  • Does just providing an AWS instance for this and let you service it by yourself suits you?
  • Does OpenSuse is using this? Could we use their instance?

Who will maintain this?

I'm not sure I can solely maintain the deployment, since it will contain rules for license audit/review stuff for Fedora packages. But nominally at least me, I think. Maybe also @salimma, as he expressed interest in it.

Is Cavil packaged in Fedora or should it be deployed directly in OpenShift from Github?

It will be packaged in Fedora. It is not yet, though.

Does just providing an AWS instance for this and let you service it by yourself suits you?

Maybe? I'm not sure.

Does OpenSuse is using this? Could we use their instance?

openSUSE reuses SUSE's internal instance, which is maintained by SUSE employees and administered partly by SUSE Legal. We cannot use it.

[backlog refinement]
We now have all the info we wanted, we just need to find spare cycles to work on this.

[backlog refinement]
Still waiting to get around to this.
Interested folks could also set it up in communishift so we can have a proof of concept.

[backlog refinement]
@mattdm You said you will ask Fedora legal about this. How it goes?

Metadata Update from @zlopez:
- Issue priority set to: Waiting on External (was: Waiting on Assignee)

10 months ago

[backlog refinement]
@ref @jlovejoy Could you look at this ticket? We currently want to know the opinion on this from Fedora legal.

This is currently on hold. I am willing to set it up as I did the initial investigation. But we have lot of backlog adding new licenses to fedora-license-data. We can return to this when we are done with SPDX migration.
You can close it for now, if it bothers you. I will reopen it when time comes.

Metadata Update from @kevin:
- Issue close_status updated to: Upstream
- Issue status updated to: Closed (was: Open)

7 months ago

sounds like a good plan to re-investigate as @msuchy said above.

I'd like to see a demo of this tool first. I had tried to reach out to a contact at Suse some time ago to ask about it, but he ended up moving to a different company.

Login to comment on this ticket.

Metadata
Boards 1
mini-initative Status: Backlog