feat: Create bill of materials instead of only extracted comments

[susnux]

Summary

Do not extract comments (that depends on regex) but correctly export BOM from packages used.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[st3iny]

Does that also include license headers from our own source code or just from the packages used?

[susnux]

Does that also include license headers from our own source code or just from the packages used

No but all other licenses we depend on, as all of our code is licensed under AGPL-3.0 (some parts even AGPL-3.0+ but at least AGPL-3.0 and compatible so that we can publish it under AGPL-3.0)

[AndyScherzinger]

No but all other licenses we depend on, as all of our code is licensed under AGPL-3.0 (some parts even AGPL-3.0+ but at least AGPL-3.0 and compatible so that we can publish it under AGPL-3.0)

Well, this might not be absolutely true in 100% of all cases while true for most. Some files do have MIT or Apache or else, while always compatible. However for any file not shipping a license header we need to have an entry in the dep5 file which is rather complicated for generated files where a wildcard would catch all files, also the ones that aren't the default license.

Do we have a chance to also generate .license files for our own files living right next to them? In that case we would have the best way to achieve reuse compliance without relying on the dep5 file. So at least for these we could then generate the files lice today but for SPDX, no?

Happy to sit-down during the Berlin week 😃

[susnux]

But relying on extracted comments also is not the best solution as it will likely not contain 3rdparty licenses from code bundled in. Because often 3rdparty has removed all comments from code.

Happy to sit-down during the Berlin week 😃

Sure :)

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!