Session: The Many Curious Ways of FOSS Licensing and How to Fix all the Licenses
License and dependencies are essential structured data attributes we need to collect from software packages to drive software composition analysis.
Yet, each package ecosystem has its own and different way to document these making it difficult to expose and consume these data in a uniform way across multiple package types (such as npm, Maven, PyPI, etc.). This matters more and more as no software product is an island using a single technology and modern software is routinely assembled from thousands of these packages with deep nested dependencies.
In this session, we will first present the key ways license and dependencies are documented across package ecosystems and what challenges this creates.
We will then foster a discussion on how we could all help improve this situation to make these data more readily consumable by everyone and foster streamlined compliance automation.
