On Friday, 24 July 2020 14:40:15 CEST Stuart D Gathman wrote:
On Fri, 24 Jul 2020, Jason Tibbitts wrote:
> Are any of the following acceptable?
>
>
>
> 1) Trust the packager to do a license review, with no reviewer
>
> verification.
Definitely need a second opinion IMHO (IANAL).
> 2) Trust the output of an automated tool which attempts to detect
>
> project licenses (such as askalono).
My understanding is that such tools are pretty accurate when a license
is positively identified, and this can be a reasonable 2nd opinion.
When the tool fails to find or confirm a license, then manual search may be
required.
> 3) Trust the license tag from a project hosting service such as github?
>
> (I understand that the answer may depend on the hosting service.)
Ask a real lawyer. I would be inclined to not trust the service, but
it might count as "due diligence".
I want to precise that the tool used (askalono) does not work with Github
"license field" but works by analysing all the files and look for licence
texts and SPDX tag.