Proposal: Allow REUSE compatible License Statements in License Policy

Agustin Benito (toscalix) abenito at kde.org
Tue Jan 7 16:50:36 GMT 2020


Hello,

On Mon, Jan 6, 2020 at 10:43 PM Cornelius Schumacher <schumacher at kde.org> wrote:
>
> On Sunday, 5 January 2020 16:40:20 CET Andreas Cord-Landwehr wrote:
> > Hi, I want to propose to allow SPDX-based [5] and REUSE.software [1]
> > compatible license statements as a new option in our KDE licensing policy.
>
> This is great. Thanks for working on this. Very nicely done.
>
> > Here is my policy update proposal:
> > * Proposal:
> > https://community.kde.org/Policies/Licensing_Policy/Draft_SPDX_v2 * Diff to
> > current policy: https://community.kde.org/index.php?
> > title=Policies%2FLicensing_Policy%2FDraft_SPDX_v2&type=revision&diff=87138&o
> > ldid=87134

<snip>

> It would also be nice to have examples for license headers which don't use the
> full text of the headers but only the SPDX identifiers as specified by REUSE.
> This is the more concise version and I think the one we would like to settle
> on longer term. So it would be good to have explicit examples which show how
> this will look like. That could be a later step, though.

On an aside note....

One of the hidden gems of adopting REUSE/SPDX is to be able to split
what today we call "software license compliance" into two different
activities (the names are not standarised):

* Conformance: is the right license/copyright information present? Is
it in the right format, in the right place? Does it meet the
project/organization policy? etc.
* License clearance: is the license correct? How is the license
affected by the dependencies? Are the license clause being violated?
Is license A compatible with license B? etc..

The conformance step can be easily adopted in CI/CD pipelines through
simple checks (tests), prior to the code review process, for instance,
helping in the education of developers about licenses and copyrights
through inmediate feedback against well defined policies, instead of
waiting for complete scans to finish, sometimes complex reports and
results reviews done by experts.

This split turns Conformace into a 100% engineering activity which
helps to partially prevent license compliance engineers and
lawyers/experts from becoming bottlenecks. It reduces costs, specially
in big projects. This is true not just for upstream projects but also
for integrators and distributors, like distros, no matter if they are
package based (.deb or .rpm, for instance) or declarative (Yocto,
BuildStream, for instance). So by adopting REUSE/SPDX we would be
helping downstream projects to adopt our software, not just ourselves.

I sometimes explain this side effect making an analogy with unit tests
and integration tests.

>
> --
> Cornelius Schumacher <schumacher at kde.org>
>
>

Agustin Benito (toscalix)
KDE eV member
Profile: http://www.toscalix.com



More information about the kde-community mailing list