search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
393 stars 147 forks source link

`LicenseInfoInFile` shouldn’t be used with `.license` files #434

Open Jayman2000 opened 2 years ago

Jayman2000 commented 2 years ago

Consider this this example:

Incorrect use of LicenseInfoInFile
├── ColemanCount.png
├── ColemanCount.png.license
└── LICENSES
    └── GPL-2.0-only.txt

Running reuse spdx from that directory gives me:

reuse.project - WARNING - could not find supported VCS
SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Incorrect use of LicenseInfoInFile
DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-88c4b0af-dd4b-49a3-ab8e-fdb8e4f04218
Creator: Person: Anonymous ()
Creator: Organization: Anonymous ()
Creator: Tool: reuse-0.13.0
Created: 2021-11-05T18:41:42Z
CreatorComment: <text>This document was created automatically using available reuse information consistent with REUSE.</text>
Relationship: SPDXRef-DOCUMENT describes SPDXRef-98e7a4fdcc4abc0f5feca2b940754ebe

FileName: ./ColemanCount.png
SPDXID: SPDXRef-98e7a4fdcc4abc0f5feca2b940754ebe
FileChecksum: SHA1: ed4604842ea4015325b8c9eaa8a3487a52b022a1
LicenseConcluded: NOASSERTION
LicenseInfoInFile: GPL-2.0-only
FileCopyrightText: <text>SPDX-FileCopyrightText: 2007-2016 the OpenGFX team <https://wiki.openttd.org/en/Basesets/OpenGFX></text>

The SPDX Spec says

4.6 License Information in File

4.6.1 Purpose: This field contains the license information actually found in the file, if any. This information is most commonly found in the header of the file, although it may be in other areas of the actual file. Any license information not actually in the file, e.g., “COPYING.txt” file in a top level directory, should not be reflected in this field.

In the example I used, the license information isn’t in ColemanCount.png. It’s in a separate .license file.

mxmehl commented 2 years ago

Oh, good spot. @silverhook what do you think? LicenseConcluded is also not really what we would aim for, right?

silverhook commented 2 years ago

LicenseConcluded is a good question – on one hand it is based on a tool finding, on the other the tool finding is what (arguably) the authors wrote themselves.

Personally, I am leaning more towards not using LicenseConcluded and a broader interpretation of LicenseInfoInFile, but that would make sense to check with other SPDX tooling experts on how they see it.

This would be easier with {$fle}.license as it is very easy to match to {$file}, but when we store that same info in the .reuse/ folder it will get a bit more removed.

Let’s drive this by SPDX Tooling and, if needed, also by SPDX Legal.

seabass-labrax commented 2 years ago

I think this could be a reason to add a file-level LicenseDeclared field in SPDX 3.0. It could be useful for occasions such as these when it is clear that a license is intended to apply to a specific file, but is not declared within the file itself.

There are other cases apart from REUSE where this might come up - I can imagine someone writing in the README that a specific file is under a different license from the others. That said, the more people adopt REUSE, the less likely that particular situation will arise! :)

silverhook commented 2 years ago

@seabass-labrax , or the zlib license situation, with its “as license declared in file X”. In any case that sounds like what we’d need to discuss within SPDX.