search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
412 stars 150 forks source link

read existing SPDX files #182

Closed pspacek closed 2 years ago

pspacek commented 4 years ago

It would be useful if Reuse read and understood SPDX files in repo.

For example if we take minimal example from https://github.com/david-a-wheeler/spdx-tutorial and put it into a file root.spdx:

SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
PackageName: Foo
PackageOriginator: David A. Wheeler
PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/
PackageLicenseDeclared: MIT

This content should be understood as replacement for .reuse/dep5 which is not be supported by other tools in SPDX ecosystem.

Thank you for considering this.

mxmehl commented 3 years ago

Just found the time to think about this. I'd rather prefer the following:

  1. Implement REUSE.yml in some sort as a replacement for dep5
  2. Add a function for the REUSE helper tool to digest a SPDX file and apply it to a repository: addheader where it's possible, .license files where necessary.

This way, existing SPDX files that can be generated by FOSSology and other tools can be a great help to make a repo REUSE compliant with a few commands.

mxmehl commented 2 years ago

So REUSE won't consider SPDX SBOMs as a data source, but I just created #533 to add some documentation how to turn SPDX files into REUSE information.