Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5

To: debian-devel@lists.debian.org
Subject: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
From: Russ Allbery <rra@debian.org>
Date: Tue, 08 Feb 2022 11:44:40 -0800
Message-id: <[🔎] 87bkzhjg7r.fsf@hope.eyrie.org>
In-reply-to: <[🔎] CAKZYK48HDda1yBZ+wMsT3mG0+h1PCKMGZwGDJPSj_1OuQtLQCw@mail.gmail.com> (Stephan Lachnit's message of "Tue, 8 Feb 2022 18:53:22 +0100")
References: <CAKZYK4-v1uZgECozv44aw=U33367vB8rxn0T2OwrERXkU1OTSw@mail.gmail.com> <[🔎] 164433477648.2636895.16922257999934052669@auryn.jones.dk> <[🔎] CAKZYK48HDda1yBZ+wMsT3mG0+h1PCKMGZwGDJPSj_1OuQtLQCw@mail.gmail.com>

Stephan Lachnit <stephanlachnit@debian.org> writes:

> It would require a minor change: putting the verbatim license texts in a
> single file is not possible anymore. But I don't why just copying the
> licenses to "/usr/share/doc/PACKAGE/licenses/LICENSE" in addition to the
> SPDX formatted debian/copyright would be any worse than the current way.

I recommend thinking about how to generate an existing debian/copyright
file and putting the SPDX-formatted one in a different location.  You're
going to want to decouple the new work from any transition that requires
other people change tools.  There are a lot of tools that make assumptions
about debian/copyright, and trying to track them all down will be
counterproductive for trying to make forward progress on exposing
information in a more interoperable format.

The way I see this, there are three different things that have been
discussed on this thread:

1. Consuming upstream data in SPDX or REUSE format and automating the
   generation of required Debian files using it.

2. Exposing SPDX data for our packages for downstream consumption.

3. Aligning the standard way to present Debian copyright information with
   other standards.

I can tell you from prior experience with DEP-5 that 3 is wildly
controversial and will produce the most pushback.  There are a lot of
packagers who flatly refuse to even use the DEP-5 format, and (pace
Jonas's aspirations) I don't expect that to change any time soon.

I think that's fine for what you're trying to accomplish, because I think
1 and 2 are where the biggest improvements can be found.  As long as your
system for managing copyright and license information can spit out a DEP-5
debian/copyright file (in its current or a minorly modified format, not
with new files elsewhere that would have to be extracted from the
package), you are then backward-compatible with the existing system and
that takes 3 largely off the table (which is what you want).  Then you can
demonstrate the advantages of the new system and people can choose to be
convinced by those advantages or not, similar to DEP-5, and we can reach
an organic consensus without anyone feeling like they're forced to change
how they do things.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Russ Allbery <rra@debian.org>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>

References:
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
  - From: Stephan Lachnit <stephanlachnit@debian.org>

Prev by Date: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Next by Date: Re: Legal advice regarding the NEW queue
Previous by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Next by thread: Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
Index(es):
- Date
- Thread