Hi, many packages already contain a SPDX tag, however I don't see a way to retrieve this information via okpg. Ideally the manifest delivered with created images would contain this information, if available.
The issue came up here, but is surely relevant at other places as well.
Thumbs up on this!
This would make public access to "personal" images and package repositories a lot easier. While the individual would still have to be able to supply the source code and build instructions, having the license and associated files as part of each of the packages and downloadable with the image is a lot easier than "tar up your build tree" and then struggle with somehow meeting all the other license requirements about what needs to be distributed with the image and most of the packages.
Compliance would still be a personal responsibility, but tooling like this makes it much less burdensome.
A couple thoughts as to what it might entail, past updating OpenWRT source and package makefiles
opkg to be able to not install certain files in the payload (licenses, NOTICE files, ...)PKG_LICENSE_FILE to be able to be a list (sometimes additional files may be required, such as the Apache license)