Bad formated copyright report is generated

Affected images versions

All

Background

Apertis CI pipelines created a copyright report using scan-copyright, in order to provide more accurate information. The workflow is more or less like:

• scan-coprygiths creates a report guessing the license and copyright information
• in case of unknown license/copyright the information in debian/copyright is used to fill the gaps and extending the report

The problem is that in case of unknown license, the way the report is extended generates might lead to a report that does not follow the standard which states that the latest entries in the file has precedence. For instance, file stanzas using wildcards can be found later, which will override the more accurate information.

Example https://gitlab.apertis.org/pkg/iptables/-/blob/apertis/v2025dev1/debian/apertis/copyright?ref_type=heads

https://gitlab.apertis.org/pkg/iptables/-/blob/apertis/v2025dev1/debian/apertis/copyright?ref_type=heads https://gitlab.apertis.org/pkg/iptables/-/blame/apertis/v2025dev1/debian/apertis/copyright?ref_type=heads#L341

Steps to reproduce

Retrigger ci-license-scan for iptables

Expected result

A valid copyright report is generated

Actual result

A copyright report which does not follow the specification is generated

Reproducibility

Put the ✅ in the most appropriate entry:

1. ✅ always for packages that need to fill unknows
2. often, but not always
3. rarely

Impact of bug

This issue causes the BOM for licensing to report wrong licenses and copyright holders

Attachments

Root cause

To be confirmed, but most probably due to this

Outcomes

• apertis-docker-images!311 (merged)

Management data

This section is for management only, it should be the last one in the description.

/cc @andrunko @em @Balasubramanian @sudarshan @wlozano

Phabricator link: https://phabricator.apertis.org/T10299