Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5

To: debian-devel@lists.debian.org, Stephan Lachnit <stephanlachnit@debian.org>
Subject: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
From: Max Mehl <max.mehl@fsfe.org>
Date: Wed, 26 Jan 2022 13:59:18 +0100
Message-id: <[🔎] 1643201224.n319bs39z7.2220@fsfe.org>
In-reply-to: <[🔎] CAKZYK4-v1uZgECozv44aw=U33367vB8rxn0T2OwrERXkU1OTSw@mail.gmail.com>
References: <[🔎] CAKZYK4-v1uZgECozv44aw=U33367vB8rxn0T2OwrERXkU1OTSw@mail.gmail.com>

Thank you Stephan for bringing REUSE into the discussion and Cc'ing me
(I am not part of this list). Please let me just add two small things to
your otherwise encompassing mail.

~ Stephan Lachnit [2022-01-26 12:49 +0100]:
> - What is REUSE?

If you have ~15min of time and rather fancy video intros than text, this
recording of a recent talk could be for you [^1]. Otherwise, please
check out the official website [^2] that also offers a tutorial that
should get you up to speed.

> Note that I don't want DEP-5 to go away - it is unlikely that every
> project will follow the REUSE spec and writing an SPDX document by
> hand has no significant advantages over DEP-5. Besides, using the
> file-exclusion function in DEP-5 for uscan is quite useful for ds/dfsg
> packages (although that could also be moved to an external file).

FWIW, as you may have already noticed, REUSE makes use of DEP-5 as well,
as one (and honestly the least preferred) of the three ways how you can
label your files. We have a better file-based format in the works [^3],
and would probably also provide a converter from DEP-5 to this new
REUSE.yaml format.

That would mean that the REUSE helper tool in the future could take
DEP-5 files, convert them to the modern format, and run a lint to check
whether everything is fine – and if you want, also generate a SBOM.

But already now, a DEP-5 file could be provided to REUSE. One would have
to check whether the ones Debian provides would work in the default
location for DEP-5 files in REUSE (`.reuse/dep5`). If not, I suspect
there would be no large changes needed.

With this, I just would like to emphasise that Debian's extra care about
proper licensing is a great plus and comes in handy if you were to
streamline and extend it by widely supported best practices like REUSE.
As Stephan said, I'd be thrilled to work together with you to make
licensing and copyright in Debian and ideally also upstream easier and
more understandable for users and developers.

Best,
Max


[^1]: https://www.sfscon.it/talks/reuse/

[^2]: https://reuse.software/

[^3]: https://github.com/fsfe/reuse-docs/issues/81

-- 
Max Mehl - Programme Manager - Free Software Foundation Europe
Contact and information: https://fsfe.org/about/mehl | @mxmehl
Become a supporter of software freedom:  https://fsfe.org/join

Reply to:

Follow-Ups:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>

References:
- Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>

Prev by Date: Re: Services offered by Debian should be dogfooding the real packages on DSA hosts.
Next by Date: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Previous by thread: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Next by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Index(es):
- Date
- Thread