I saw that e-mail when it was sent and I thought the project was more about automating the CQ creation process. I'll take a better look and I'll try to integrate it in our pipelines.
Getting committers out of the business of creating CQs has been a longstanding goal of mine. We get most of the way there with the Dash License Tool, which does a pretty good job of finding sources and automatically vetting them. With this, we may still need to get committers engaged in the vetting process, but only in cases when we need help (which are relatively rare).
Please bear in mind that the tool is considered "experimental". Also, it only knows what you tell it. That is, it can only test the licenses of the content that you tell it about. It doesn't know to look for buried package-lock.json files or what not. Note that I still haven't quite figured out how to get it to recognise and correctly deal with "works with" dependencies.
We are looking at a tool that automates the detection of dependencies and resolution of license information with even less engagement from committers; assuming our investigation works out, implementing that is a goal for 2022.
Wayne
