Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 2
Message 1 of 3

Open Source License Compliance - Disclosure generation

Hello,

 

I am not sure if this is the place to do it, but I have a feature request/idea for GitHub. 

 

Request: Add a section for project attribution similar to how the license of the repo is displayed. The attribution should also be retrievable via the API.

 

Reasoning:

In evaluating compliance tools and generating bill of materials and disclosure generation, several open source compliance tools struggle with extracting attribution and copyright. If there were a specific place where the project copyright info was located/ if retrievable via API, compliance tools will have an easier time extracting attribution and selecting which copyright notice is the correct one for the project. 

 

Alternative: Best Practice additions

Alternatively, this conversation can steer in a different direction. I can also see best practice creating an ATTRIBUTION file similar to LICENSE or NOTICE. Or even to have all projects have NOTICE. Looking forward to the conversation. 

 

Thank you.

 

2 Replies
Community Manager
Message 2 of 3

Re: Open Source License Compliance - Disclosure generation

Thanks for this feedback! We're always working to improve GitHub and the GitHub Community Forum, and we consider every suggestion we receive. I've logged your feature request in our internal feature request list. Though I can't guarantee anything or share a timeline for this, I can tell you that it's been shared with the appropriate teams for consideration.

 

Please let me know if you have any other questions.

 

Copilot Lvl 2
Message 3 of 3

Re: Open Source License Compliance - Disclosure generation

Thank you @lee-dohm ! Another benefit of having this feature is that GitHub is a central location, it is the source for data acquisition for many scanning tools and other related platforms. If this information were more readily available, I think it would organically trickle to other sources like a Maven or platforms like Libraries.io, etc. I would also think that other development platforms would follow suit.