Dear all,
It occurred to me today what a beautifully elegant solution REUSE offers
to one of the most frequent frustrations in FOSS licence compliance.
Free and open source projects are often developed with the assumption
that contributions are made in good-faith, but this sometimes means that
it can go a long time before licensing issues are noticed. One familiar
occurrence is for a project to contain files with ambiguous copyright
status, as they were copied from an earlier project. Another is where a
'public domain' declaration was made for some files, but it isn't clear
whether or not this is actually compatible with the FOSS licence
covering the project.
Free software distributions like Debian or Fedora have lots of issue
tracker, email and forum threads about precisely such situations. Often,
the agreed course of action is to "wait until the problem is fixed
upstream before packaging the software", but this decision can get
forgotten just as easily as the upstream issue was missed in the first
place. Thus, the ongoing licence compliance and resolution is based on
the 'organisational knowledge' of various groups in the supply chain
between upstream FOSS projects and their varied users and distributors.
If the upstream project utilizes REUSE, however, the problem becomes a
lot easier to keep track of. The questionably licensed files can be
annotated with statements such as this:
// SPDX-License-Identifier: LicenseRef-FIXME-Unknown-Author
As per the REUSE specification, there would be a file at the path
LICENSES/LicenseRef-FIXME-Unknown-Author.txt in which useful background
about the issue could be stored.
This doesn't abuse the SPDX License List, because SPDX is explicit in
declaring that 'LicenseRef' identifiers are local in scope to the
Software Bill of Materials in which they are used. In the context of
REUSE, this translates to being local in scope to the source code
repository of the REUSE-compliant FOSS project. LicenseRef identifiers
are never assumed to have any inherent or universal meaning.
I think this seems such a powerful case for employing REUSE because it
is equally visible to legal experts and software engineers.
A licence compliance specialist doing an audit of the project (be that
on behalf of another free software project like Debian or a commercial
redistributor) would start by looking at the LICENSES directory.
Immediately, the files like LicenseRef-FIXME-Unknown-Author.txt would be
apparent, and a quick invocation of the 'reuse' program on the command
line would point to the exact files whose licensing was in question.
Just as naturally would the issue be apparent to a software engineer
working on the FOSS project (or, indeed, a fork or vendored copy of the
FOSS project). The SPDX-License-Identifier comments or associated
'.license' files would clearly state 'FIXME', a frequently-used term to
mark any kind of potential problem with a piece of code, and one that is
even highlighted by default in many code editors. As with the licence
compliance specialist, the software engineer can find exactly where to
look for more information.
Hopefully my ruminations in this email might inspire others to make
REUSE an essential mechanism for how they go about free and open source
licence compliance, and illustrates one case of REUSE not just being a
mere alternative to monolithic COPYING or LICENSE files. With all the
conventional licensing and copyright information neatly arranged
according to REUSE, you can make problematic details stand out much
more effectively.
Best wishes,
Sebastian