REUSE compliance tips

Andreas and Harald have already written about migrating our code bases to REUSE compliant license and copyright metadata, and we have the KDE Licensing Guidelines providing a comprehensive overview on how to do this. Here are a few additional bits I learned while applying this to things I work on.

REUSE Compliance

Converting existing license and copyright information to the standardized and machine-readable SPDX format is usually the first step, and Andreas has done great work with the tooling for that. The goal for REUSE compliance however is that really every single file has SPDX data, including those where we have historically been a lot more sloppy with licensing, build system or data files for example.

Using a machine readable format allows us to automatically verify this, using the reuse command line tool and running reuse lint.

Actually complete license information have value in themselves, but being machine readable also allows more things to be built on top of this then, such as finding license compatibility issue or determining effective outbound licenses.

License Markers

Usually we put SPDX license markers into a comment at the top of a file. That’s however not always feasible or possible, but there are alternatives.

For individual files the license information can also be put into a <filename>.license file alongside the actual file. This is useful e.g. for JSON files which cannot contain comments.

A more comprehensive option is the .dep5/reuse file in the repository root directory. This file can contain a set of file name patterns and their associated copyright and license information. This is particularly useful for larger sets of data or asset files.

The format differs slightly from standard SPDX markers, see the REUSE docs for details.

License Choices

While we usually tend to have a good idea on which license to pick for the primary content of a repository (such as the source code), ironically it’s somehow harder for secondary files (build system, meta data, etc), and particularly for “trivial” content.

KDE’s license policy provides guidance for the build system (BSD-2-Clause), the canonical way for “trivial” files seems to be:

SPDX-License-Identifier: CC0-1.0
SPDX-FileCopyrightText: none

When introducing a new licenses to a repository that way, reuse download --all conveniently adds all the necessary license texts for those.

CI Checks

With the license and copyright information now all being machine readable, we can have the CI ensure completeness going forward. KDE’s Gitlab CI is already set up to do this, its REUSE compliance check can be enabled by adding the following line to the .gitlab-ci.yml file of a repository:

include:
  ...
  - https://invent.kde.org/sysadmin/ci-tooling/raw/master/invent/ci-reuse.yml

Examples

There is a growing number of repositories that are fully REUSE compliant, and that might serve as inspiration for how to deal with some more unusual file types: KRunner, Elisa, KHealthCertificate, Vakzination, KPkPass, KItinerary, KWeather, KPublicTransport, KOpeningHours, KOSMIndoorMap, Keysmith and probably a few more I am not aware of.

It’s obviously easier to achieve REUSE compliance on newer/smaller repositories, but this list shows it’s also possible on older/larger modules.