search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
387 stars 147 forks source link

[Qs] Correct way to annotate patch files #237

Open amerlyq opened 4 years ago

amerlyq commented 4 years ago

Usecase:

Repo directly stores .patch and .diff files alongside normal code: buildroot, crosstool-ng, etc. It's a mess to maintain proper SPDX for them.

Situation:

1) Patch files require license according to reuse-tool (good). 2) Patches may already contain some sort of attribution (like mentioning original author), and often default license is inherited after the project (despite author may allow more permissive license). 3) Sometimes these patches are aggregations of multiple other patches by different people with different copyright and license terms. 4) Patches which add whole new file may already contain SPDX notation inside of it -- resulting in patchfile which contains single overall SPDX on top and multitude of them inside. 5) FOSS community convention is to avoid modifying patches at all costs -- so you could temporarily copy patch from maillist into your older repo until you wait on it being merged into upstream master. 6) Adding and maintaining separate file .license alongside such patch seems like the most reasonable solution -- but again you must enlist multiple copyright/license terms inside of it. Even if you will replace all licenses by license of targeted project -- issue with multiple authors remains. 7) As mentioned in (2) and (4), patches may already contain attribution and SPDX -- so creating separate .license file is duplication of info, which creates significant maintenance overhead for large number of patches. 8) Alternatively -- adding SPDX header into the patch itself will overload patch description by not-so-useful and moreover hard-to-distinguish information block -- which will pollute git history commit message, when patch will be applied on package upstream, instead of storing it as file on e.g. buildroot.

So... what to do? I still want to add SPDX inside patch itself, but result is a total mess and less than satisfactory. Is there any recommended practice or at least additional ideas to try?

carmenbianca commented 4 years ago

Hi @amerlyq. In fairness I'm not really sure what the best approach here is. The easiest solution, as you've observed, is the .license file. But you've also correctly observed that that would override/duplicate work.

Incidentally, I received a similar-ish question an hour ago. Not in terms of the exact contents, but in terms of theme: It's really hard to do REUSE right when you are downstream from someone.

@silverhook Do you have good thoughts on the licensing situation of patches? Do you have thoughts on how to best declare the licensing of patches?

floriansnow commented 1 year ago

@amerlyq Does support for snippets solve this? To me, it sounds like it might because if a patch has licensing information inside, then every change could simply be a snipped and if there isn't licensing information inside, then REUSE is correct to complain.