Frequently Asked Questions¶

Q: What is the FOSSology Project all about?¶

A: The FOSSology Project is a Free Open Source Software (FOSS) project built around an open and modular architecture for analyzing software. Existing modules include license identification, copyright scan, package header extraction, MIME type identification and reporting 'buckets'.

More than simply reporting, "Package X uses license Y," the FOSSology tool analyzes every file within the package to determine its license. The license report is thus an aggregate of all of the different licenses found to be in use by a package. A single package may be labeled as "GPL" but contain files that use other licenses (BSD, OSL, or any of the hundreds of other licenses).

Digging deeper, the FOSSology project is intended as a general-purpose data mining tool. It can be extended by adding new Agents to analyze all sorts of meta information about Free and Open Source Software -- not just licenses, but code re-use, security alerts, bug fixes and patches, project information, usage statistics -- just about anything you could imagine! This is why the name FOSSology, the study of FOSS was chosen.

All of the software packages analyzed by FOSSology are maintained in its internal Software Repository, and the information collected by FOSSology (such as the license analyses) are maintained in its internal Database.

Q: Where did the FOSSology tool come from? Why would somebody create this tool? Who are you and what do you get out of this?¶

A: The FOSSology Project started as an internal software development effort within Hewlett Packard's Open Source and Linux Organization. The tool evolved over several years at HP from a few simple shell scripts to the much more comprehensive tool you see today.

HP needed a way to quickly and accurately evaluate open source software that was being proposed for use within the company as well as software that was being considered for distribution on its own or as part of an HP product or service. These tools were developed to meet this need. An internal review board uses FOSSology to alert developers and project managers to conflicts in licensing terms, potential pitfalls, source code requirements, etc..

In time, HP came to realize that this tool would be of similar value to other organizations, for the greater good of the open source community. Thus the decision was made to open source the tool and help promote its use within open source communities to help ease the confusion and uncertainty around licensing.

Q: Is FOSSology free? Is it open source? How is it licensed?¶

A: The FOSSology Project is free and open source software. It is available under the terms of the GNU General Public License (GPL) version 2. The documentation for the project is available under the terms of the GNU Free Documentation License (GFDL).

Q: Where can I get the FOSSology Project source code?¶

A: The FOSSology project source code is available from our project's Subversion repository at SourceForge.net, and source tarballs of all released versions of the project are available from our Releases area. You can find links to the source code and packages at our Download page.

Q: I'm having trouble with my FOSSology system, where do I turn for help?¶

A: There are many resources to help you out.

• First, take a look through the FOSSology Troubleshooting guide for some common problems and how to fix them.
• Next, you can send an email to the FOSSology mailing list, and/or join our live public IRC channel. Information on accessing either is availble at Contact Us.
• If you want to dig much deeper, the best place to start is the FOSSology Developer Documentation which will walk you through the system architecture, components, low-level operations, and gory details.

Q: What platforms are supported for running FOSSology?¶

A: Currently we support FOSSology on most current GNU/Linux platforms. Most of our development and testing right now occurs on Debian but the tools should build and run just fine on any Linux system as long as the dependencies are met. Refer to the System Administration Documentation for more details.

Q: What software is required?¶

A: FOSSology consists of four major components: user interface, database, batch agents (used to analyze the code), and a software repository for storing the actual analyzed files.

• The user interface is run by a web server, so Apache 2.x with PHP5 support is required.
• The database stores information about packages, files, jobs, and everything else. Postgres 8.3 or higher is required.
• The agents consist of a scheduler and all of the analysis agents. The scheduler and agents are provided by FOSSology. However, many of the agents have external dependencies on other software packages:
• Libraries: The libraries used by FOSSology and its agents include: * libmagic - for determining file types, from the "file" software: ftp://ftp.astron.com/pub/file/file-4.02.tar.gz * libxml2 - GNOME XML library: http://gnome.org * libextractor - GNU file meta-data extractor: http://www.gnunet.org/libextractor/
• External Commands: FOSSology also requires several external tools, primarily for unpacking a variety of compression and archive file formats: These include: * ar - for extracting archives, from the binutils software: http://www.gnu.org/software/binutils/ * bzcat - bz2 decompressor, from the bzip2 software: http://www.bzip.org/ * cabextract - extractor for Microsoft Cabinet files: http://www.kyz.uklinux.net/cabextract.php * cpio - for extracting cpio archives: http://www.gnu.org/software/cpio/ * icat and fls - forensics tools from the sleuthkit software: http://sourceforge.net/projects/sleuthkit/ * isoinfo - read metadata info from ISO9660 images, from the mkisofs/cdrtools/cdrkit implementations: cdrkit implemtation http://debburn.alioth.debian.org/ * pdftotext - from the xpdf software: http://www.foolabs.com/xpdf * rpm and rpm2cpio - for extracting software and metadata from rpm packages: http://www.rpm.org/ * tar - tape archive decompressor: http://www.gnu.org/software/tar/ * upx-ucl - an executable compressor/decompressor: http://upx.sourceforge.net * unrar-free - Unarchiver for .rar files: https://gna.org/projects/unrar/ * unzip - De-archiver for .zip files: ftp://ftp.info-zip.org/pub/infozip/src/ * wget - version 1.10 or later (should be installed by default on newer Linux systems) * zcat - for uncompressing .gz and .Z files, from the gzip software: http://www.gzip.org/

For more details on FOSSology dependencies and installation, please refer to System Administration Documentation.

Q: How accurate is the license analysis?¶

A: That's a difficult question to answer given the variety of licenses, license that are derived from other licenses, different ways to reference a license, etc.. So the best I can say is it is pretty good, but should not be considered authoritative.

_Q: Does FOSSology give legal advice?¶

We are not lawyers. The code tries its best to do accurate data scans, but leaves the legal decisions on how to use and interpret the results up to your own attorneys.

Q: When I view a file, the output looks like garbage. Am I doing something wrong?¶

A: You are seeing garbage because the upload you analyzed is a binary file (an exe for example). So if you try to "view" a binary file, you will see what looks like garbage. You can switch to a Hex view if you want to see the value of each byte in the file.

It is important to realize that FOSSology will scan binary files, however, the license and copyright scanners only look at printable text it finds in those binary files.

Q: I would like to cleanup the repository by deleting uploads older than 1 year. How can I do this? ( Thanks to Ray Westphal for posting this question on the fossology mailing list.)¶

A: The only way to find the uploads over a year old is to do a database query:

select upload_pk from upload where upload_ts< (now() - interval '1 year') order by upload_ts

You can then take that list and schedule the delete agent on each one of the upload_pk's with the fossjobs command (man fossjobs).