The FSFE's REUSE initiative, in which we're encouraging the uptake of practices which enable computer-readable licensing and copyright information is progressing well. In the next couple of days, I'll be working on implementing these practices for a few different projects I know of, to make some examples for what a project needs to do to adhere to the REUSE practices and get a nice REUSE compliant badge!
What we've already done is to create three different Git repositories, each of which is REUSE compliant, and which demonstrate different parts of the REUSe practices. You can already have a look at them here, here and here. Here's more information about each one:
This repository contains perhaps the simplest example of a REUSE compliant program. It has a single source code file, a single license and copyright holder. As you can see if you browse it, it has a single
LICENSE file, which contains a copy of the license, the GPLv3 in this case.
LICENSE file is unchanged and used in verbatim format, which makes it possible to get an MD5/SHA1 hash of it to verify it has not been changed from the original.
There's no way to include a reasonable comment in a Markdown file, so rather than placing the license header in the
README.md file, we place it separately, in
README.md.license. The format of the header follow a standard format and is the same also in the
src/server.js source code file.
What's important to keep in mind is that aside from having a consistent style, each header also includes the
SPDX-License-Identifier tag which signals which license the file is covered by, and the
License-Filename tag which gives a reference to the exact license file in use (relative to the project root).
And that's pretty much it! This is a simple, REUSE compliant, project. It may not look like much, but this is now a project which any software tool supporting the REUSE practices can understand.
Building on the simple version before it, this repository looks much the same. The difference is that there are two different licenses involved. The
src/index.js file is licensed under an MIT license, and the README.md under GPLv3. Since two license files are involves, we put both of them in the
LICENSES/ directory and make sure to explicitly refer to them from the source files.
The final practice recommended by the REUSE project is to use the best available information in a repository and automatically create an SPDX file with license and copyright information. You should never try to do this manually: the SPDX file gets very difficult to update if you do it manually, and generating it automatically is the only sensible way to make sure it's continuously updated.
The SPDX Hello example is a repository which does exactly this. It's extraordinarily hack-ish and will break on anything which doesn't look exactly like the example, but it may serve as inspiration for further work.
The repository uses two hooks, a pre-commit and a post-commit, which anyone with commit access to the repository must make sure to enable. On each commit, the post-commit hook uses the
lint-bom program from https://git.fsfe.org/reuse/lint/ (this is the very hackish part), which goes through all inluded files, picks out the license headers, looks at the
License-Filename tags and assembles what is meant to be a complete SPDX file.
Since this is run automatically on each commit, it should always be accurate. In practice, you would want to do more than this repository does. You may want to verify the SPDX file after creation, look into adding concluded license information, and adding more metadata to the SPDX file than what I currently have.
But this is still a functional example of what we hope REUSE will lead to: repositories, big and small, with copyrights and licenses which can be read not by humans, but by computers too!