Re: Automated copyright reviews using REUSE/SPDX as alternative to DEP-5
On Wed, Jan 26, 2022 at 1:59 PM Max Mehl <max.mehl@fsfe.org> wrote:
>
> FWIW, as you may have already noticed, REUSE makes use of DEP-5 as well,
> as one (and honestly the least preferred) of the three ways how you can
> label your files. We have a better file-based format in the works [^3],
> and would probably also provide a converter from DEP-5 to this new
> REUSE.yaml format.
>
> That would mean that the REUSE helper tool in the future could take
> DEP-5 files, convert them to the modern format, and run a lint to check
> whether everything is fine – and if you want, also generate a SBOM.
>
> But already now, a DEP-5 file could be provided to REUSE. One would have
> to check whether the ones Debian provides would work in the default
> location for DEP-5 files in REUSE (`.reuse/dep5`). If not, I suspect
> there would be no large changes needed.
Probably too technical at this stage, but a conversion tool in
combination with the yaml format could actually be quite useful.
E.g. one could have a debian/REUSE.yaml sub-file for the copyright
information of the package build files and a debian/REUSE-source.yaml
file in case the source does not follow the REUSE spec. If the
reuse-tool would have an option to specify a different file for the
root REUSE.yaml, we could actually use it for all packages with
relatively low migration work on the maintainer side.
Regards,
Stephan
Reply to: