Support REUSE Specification

fair-software / howfairis

Command line tool to analyze a GitHub or GitLab repository's compliance with the fair-software.eu recommendations

https://pypi.org/project/howfairis/

Apache License 2.0

58 stars 23 forks source link

Support REUSE Specification #362

Open cmeessen opened 2 years ago

cmeessen commented 2 years ago

We have been applying the REUSE Specification to the Research Software Directory to indicate copyright and individual licenses on a per-file basis. Unfortunately, howfairis does not detect licenses when they are specified according to the REUSE specification and fails.

We were wondering whether it is planned to add support for the REUSE specification?

Details about the specification can be found on their webpage under Specification.

juhannc commented 2 months ago

I would also endorse supporting REUSE as it is a strong step towards clear licensing, something FAIR stands for. R1.1 says:

(Meta)data are released with a clear and accessible data usage license.

as well as

Software and its associated metadata have independent, clear and accessible usage licenses compatible with the software dependencies.

Both guidelines can be easily achieved using REUSE instead of having a single license file.

I can understand, that checking for REUSE compliance is harder than just scaning for a single LICENSE file. But maybe it would be enough (for the beginning) to check for signs of REUSE, i.e., a LICENSES folder, a REUSE.toml, etc. In general it will probably best to offload the actual compliance check to REUSE itself, either by using their web-based check or their CLI tool reuse lint.

fdiblen commented 1 month ago

Thank you both for your suggestions. After reviewing the specifications, I believe the best approach is to check the REUSE.toml file for support.

juhannc commented 1 month ago

I believe the best approach is to check the REUSE.toml file for support.

Unfortunately, you cannot just check for the REUSE.toml file, as it is optional according to the REUSE Spec:

Licensing Information MAY be associated with a file through a REUSE.toml file

A project can be fully licensed according to the REUSE spec with just the LICENSES/ folder and all license information in the file headers. Thus, you should at least also check for the LICENSES/ folder and possibly also the DEP5 file. Still, this only indicates, that a project tries to be REUSE compliant, not that it actually is.

https://reuse.software/spec-3.2/

cmeessen commented 1 month ago

Great to see that this issue is being picked up.

I suggest to check the error code of reuse lint when running it in the root directory of the repository. If the error code is 0, the repository is reuse compliant.

juhannc commented 1 month ago

Yes, that would obviously be the best solution but also require integrating reuse in this project. Calling reuse lint via a subprocess is not a very nice solution, it's not very pythonic and could create new security issues. Instead I think a minimal reimplementation of their cli would probably be the best solution