Re: New DEP: Usage of SDPX in debian/copyright
Jonas Smedegaard <dr@jones.dk> writes:
> Quoting Stephan Lachnit (2022-02-08 16:02:20)
>> I would like to request to take the next available DEP number (17 as of
>> today). It is about using the SPDX specification as an alternative to
>> the machine-readable debian/copyright (previously DEP-5). An initial
>> discussion was started on debian-devel [1], and since there have been
>> no large objections I would like to formalize it.
> Sorry that I initially missed it - I have now shared my objection to the
> idea at that thread:
> https://lists.debian.org/164433477648.2636895.16922257999934052669@auryn.jones.dk
The point, as I understand it, of the SPDX specification is to be even
more machine-readable, which implies to me that we could generate the
current debian/copyright format from it, and possibly vice versa. I think
the best way to move forward with compatibility with SPDX may be to
improve our side so that we can consume that format and capture all of the
same information (think JSON and YAML interoperability), which would allow
us to use tools from their ecosystem while still producing the same output
files that people are used to today.
This is a hindsight is 20/20 sort of thing, and I was among the people who
resisted doing the right thing at the time (mea culpa), but we kind of
shot ourselves in the foot with the current debian/copyright format. No
one uses our RFC-2822-style thing except us, and no one has tools for it,
so people are understandably quite reluctant to adopt it. In hindsight,
it really should have been (a restricted subset of) YAML or something else
that everyone else knows how to use; if it had been, I'm not sure we'd be
in a situation where the rest of the industry is going in a different
direction. But that's where we're at, and I think we're at significant
risk of ending up in a dead end and thus not being able to take advantage
of a ton of licensing work that's being done upstream but is in a format
that we don't use, requiring us to tediously recreate that work instead.
My goal in this discussion is to avoid that. I don't really care that
much about what the canonical output format is because, if done properly,
I think we should be able to generate multiple output formats from the
same data with minimum effort. My hope is that we can reuse standard data
in a format that upstreams will start supplying, thus reducing the amount
of Debian-specific work we need to do.
To make that concrete, I want to ship structured copyright and license
information with all of my upstream packages. I'm currently doing that in
Debian's format, but Debian's format is not useful to anyone other than
Debian. I plan on switching to SPDX or REUSE or something similar because
then someone else has a hope of being able to consume that data. The
thought of then having to do additional work when packaging to cater to
Debian is very unappealing; I want to be able to fully automate generating
the debian/copyright file from the data that I'm already maintaining
upstream.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: