Description
As ORT takes transparency and reproducibility of results serious, currently only local directories that are under version control can serve as the input to the analyzer. This is because for such "working trees" it is machine-readable where they originate from, and also the state of the source code is encoded into the VCS revision. If a remote VCS repository is to be analyzed, it either needs to be manually cloned with the respective VCS tool or the ORT Downloader first.
However, there are use-cases where the source code to analyze never was checked into version control, and committing it to a "fake" repository just to be able to analyze it defeats the purpose of capturing genuine provenance information.
Thus the proposal is to relax / extend the valid input types for the analyzer to the following:
- local directories under version control (currently the only supported input)
- local directories not under version control (or an unsupported VCS; maybe use e.g. the SPDX package verification code as part of provenance information)
- local ZIP files (use e.g. the SHA1 / SHA256 of the archive as part of provenance information)
- Docker images (mount the image as a file system and analyze a directory inside it; use e.g. the Docker image tag / SHA1 as part of provenance information)
- Remote ZIP files / Docker images referred to by URLs (the URL plus hashes could serve as provenance information)
Open questions:
- How to ensure that following ORT tools, that may run on a different machine, has access to the source code of the project as well?
- For local directories, it could simply be a requirement that all ORT tools have to run on the same machine (or have access to the same file system with the project source code).
Related issues / PRs: