REUSE compliance tips
Andreas and Harald have already written about migrating our code bases to REUSE compliant license and copyright metadata, and we have the KDE Licensing Guidelines providing a comprehensive overview on how to do this. Here are a few additional bits I learned while applying this to things I work on.
REUSE Compliance
Converting existing license and copyright information to the standardized and machine-readable SPDX format is usually the first step, and Andreas has done great work with the tooling for that. The goal for REUSE compliance however is that really every single file has SPDX data, including those where we have historically been a lot more sloppy with licensing, build system or data files for example.
Using a machine readable format allows us to automatically verify this, using the reuse
command
line tool and running reuse lint
.
Actually complete license information have value in themselves, but being machine readable also allows more things to be built on top of this then, such as finding license compatibility issue or determining effective outbound licenses.
License Markers
Usually we put SPDX license markers into a comment at the top of a file. That’s however not always feasible or possible, but there are alternatives.
For individual files the license information can also be put into a <filename>.license
file
alongside the actual file. This is useful e.g. for JSON files which cannot contain comments.
A more comprehensive option is the .dep5/reuse
file in the repository root directory.
This file can contain a set of file name patterns and their associated copyright and license
information. This is particularly useful for larger sets of data or asset files.
The format differs slightly from standard SPDX markers, see the REUSE docs for details.
License Choices
While we usually tend to have a good idea on which license to pick for the primary content of a repository (such as the source code), ironically it’s somehow harder for secondary files (build system, meta data, etc), and particularly for “trivial” content.
KDE’s license policy provides
guidance for the build system (BSD-2-Clause
), the canonical way for “trivial” files seems
to be:
SPDX-License-Identifier: CC0-1.0
SPDX-FileCopyrightText: none
When introducing a new licenses to a repository that way, reuse download --all
conveniently
adds all the necessary license texts for those.
CI Checks
With the license and copyright information now all being machine readable, we can have the CI
ensure completeness going forward. KDE’s Gitlab CI is already set up to do this, its REUSE compliance check
can be enabled by adding the following line to the .gitlab-ci.yml
file of a repository:
include:
...
- https://invent.kde.org/sysadmin/ci-tooling/raw/master/invent/ci-reuse.yml
Examples
There is a growing number of repositories that are fully REUSE compliant, and that might serve as inspiration for how to deal with some more unusual file types: KRunner, Elisa, KHealthCertificate, Vakzination, KPkPass, KItinerary, KWeather, KPublicTransport, KOpeningHours, KOSMIndoorMap, Keysmith and probably a few more I am not aware of.
It’s obviously easier to achieve REUSE compliance on newer/smaller repositories, but this list shows it’s also possible on older/larger modules.