Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [sw360-dev] request for new repository https://github.com/sw360/capywfa
Hello Gernot,

It is great news that you want to contribute this tool to the community, that too under MIT license.
Being a veteran of the SW360 community, I have created the requested repository https://github.com/sw360/capywfa for you.

Can you please confirm "gernot-h" is your GitHub username so I can invite you as a maintainer.

Thanks and regards,
Gaurav Mishra


On Tue, 18 Mar 2025 at 16:47, Gernot Hillier via sw360-dev <sw360-dev@xxxxxxxxxxx> wrote:
Dear SW360 team!

I wrote a set of small workflow tools in Python, based on
https://github.com/sw360/capycli (which I co-maintain) to automate SW360
mapping and upload for large collections of packages. We use these tools
within Siemens and Siemens Healthineers for several projects since a
couple of years. From the README:

---

Main goal of this project is to automate submission of Open Source
packages to the [SW360](https://github.com/eclipse-sw360/sw360)
component catalogue, e.g. for license clearing. It is based on
[CaPyCli](https://github.com/sw360/capycli).

For now, this is mainly used for Debian and Alpine Linux packages, but
most of our building blocks might be helpful for clearing of large
collections of (linux) packages in general.

## Clearing tools

These tools are designed to provide full automation e.g. for integration
in CI pipelines, but at the same time we stay a friendly neighbour to
users creating SW360 entries interactively. Major design decisions:

* We rely on [Package URLs](https://github.com/package-url/purl-spec/)
to identify software components and versions. We mostly avoid heuristics.
* We try hard to not create duplicates. Existing components, releases
and attachments will be re-used if they can be identified by Package URLs.
* If no matching component is found, the SBOM item will be skipped and
  the user is asked to manually identify existing components, add
package   URLs and re-run the tool.
* New components can be created if the user adds additional meta-data to
  the SBOM e.g. to specify the component name, homepage and description.
Please use upstream names like e.g. "Perl::Critic" instead of Debian's
   "libperl-critic-perl".
* Existing attachments may be verified. If the hash doesn't match, the
scripts try to automatically download, extract and compare existing
attachments.

---

We think this might be helpful for other SW360 users, too, so I
discussed this with the CaPyCli maintainer and my management and we
agreed to publish it under MIT license.

Therefore, I would like to request a new repository
https://github.com/sw360/capywfa for publishing the core. Who can help
me here, is there some process to be followed?

By the way, we also have dedicated tools for fetching Debian and Alpine
sources from snapshot.debian.org and alpine/aports, which are also in
preparation for being published.

--
Gernot Hillier
Siemens AG, Foundational Technologies
Linux Expert Center

_______________________________________________
sw360-dev mailing list
sw360-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/sw360-dev

Back to the top