Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5

To: Jonas Smedegaard <jonas@jones.dk>
Cc: debian-devel <debian-devel@lists.debian.org>, Max Mehl <max.mehl@fsfe.org>
Subject: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
From: Stephan Lachnit <stephanlachnit@debian.org>
Date: Tue, 8 Feb 2022 18:53:22 +0100
Message-id: <[🔎] CAKZYK48HDda1yBZ+wMsT3mG0+h1PCKMGZwGDJPSj_1OuQtLQCw@mail.gmail.com>
In-reply-to: <[🔎] 164433477648.2636895.16922257999934052669@auryn.jones.dk>
References: <CAKZYK4-v1uZgECozv44aw=U33367vB8rxn0T2OwrERXkU1OTSw@mail.gmail.com> <[🔎] 164433477648.2636895.16922257999934052669@auryn.jones.dk>

Hi Jonas,

On Tue, Feb 8, 2022 at 4:39 PM Jonas Smedegaard <jonas@jones.dk> wrote:
>
> I am sceptical towards this proposal.
>
> An important feature to me with current machine-readable format is that
> really it is machine-and-human-readable.

Thank you for your input! I'm aware of this concern, however I think
it is not something that can't be solved.

For one, while not as trivial to under as the current machine-readable
copyright, it's still "human-readable" (i.e. a tag:value style text
file). I would do the following comparison: if you only know Python
(DEP-5), C++ (SPDX) might look a bit weird, but you can get the gist
of it.

However, I also think the human-readable aspect is less important here
because it is an output format. What I mean with this is that the
information is already there in a human readable way: either via REUSE
or in the file headers directly. While it is theoretically possible to
write SPDX documents by hand, I would not treat them with the same
trust as one created by REUSE.

> Another important feature to me is that there is only one format (in
> addition to unformatted content, which hopefully we can put past us at
> some point).
>
> Today, I can as DD help proof-read and change *any* package in Debian.

Regarding reviews: I plan to write a SPDX-to-DEP5 converter anyway to
get a better feel for the spec. I will probably also write a copyright
review tool that will show you the copyright header of each file based
on DEP5 or SPDX information for validation / manual review. This will
make proof-reading copyright information much easier.

But to stress this again: the goal is to *replace* the manual
copyright reviews by something much better: automatic copyright
reviews. There are three areas of interest for copyright information:
a) for developers writing it b) for the user receiving it and c) the
legal side.

Regarding a: From hand DEP5 is better, but for automation SPDX is equally good.
Regarding b: I think they don't care anyway. Like which user reads the
debian/copyright really? If at all, you are interested in the
copyright of a certain library you wish to use, but this doesn't
require the extensive file-by-file information of DEP5. Most likely
the documentation provides much clearer information.
Regarding c: SPDX is as good as DEP5 if not even better due to file hashes.

> If we permit a debian/copyright format that is not human-readable, it
> means that I cannot confidently proof-read and change the contents of
> the debian subdir without the help of machine-parsers, and I would need
> to know two formats with different goals.>

I don't see the problem with machine parsers. We already use a lot of
different tools for our processes (git, dput, dpkg, debhelper,
lintian, uscan, a mail program, a text editor, ...), adding one more
shouldn't be a big deal. It needs to be provided of course, but I plan
to do that.

> I would like to instead welcome the REUSE developers in helping Debian
> evolve next version of the existing machine-readable format to better
> align with SPDX.

While this would be nice, I think this is just unrealistic. While I
may implement DEP5 output to REUSE, I still want to use SPDX because
it is already an existing industry standard having all the "features"
we want. Adding things like file hashes and referencing / merging
other DEP5 documents is certainly possible, it would make the format
less readable and in the end just SPDX looking differently.

On Tue, Feb 8, 2022 at 5:00 PM Scott Kitterman <debian@kitterman.com> wrote:
>
> Since Debian policy requires verbatim copies of licenses (or links to /usr/
> share/common-licenses), I think any policy compliant debian/copyright will
> have to be human readable, but I'm not that familiar with SPDX, so maybe it
> will surprise me.

You can find an example in my initial mail [1].

> I would be good to understand how this proposal supports Debian Policy.

It would require a minor change: putting the verbatim license texts in
a single file is not possible anymore. But I don't why just copying
the licenses to "/usr/share/doc/PACKAGE/licenses/LICENSE" in addition
to the SPDX formatted debian/copyright would be any worse than the
current way.

Regards,
Stephan

[1] https://lists.debian.org/debian-devel/2022/01/msg00309.html

Reply to:

Follow-Ups:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Jonas Smedegaard <jonas@jones.dk>

Prev by Date: Re: What are the most important projects that Debian ought to work on?
Next by Date: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Previous by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Next by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Index(es):
- Date
- Thread