Integrate REUSE standard

[NicolasToussaint]

Description

REUSE (https://reuse.software/) proposes a way to standardize the way licence and copyrights informations are stored within a project source code.

For example, it expects

• all text files to include SPDX copyright & licences identifiers,
• binary files to be accompanied by a foo.jpg.license file
• all licence texts to be available under a folder LICENSES

The projects provides a simple python tool that validates that the project is REUSE compliant, and points the files for which some information is missing if not.

Steps followed and expected result

Fossology could:

1. (easy) perform this check and
   • indicate if an upload is REUSE compliant or not
   • point to the files that need fixing
2. (not so easy) Given the licensing and copyright information gathered thanks to the clearing process, add the required files to the project. (maybe propose to download a copy of the source code in which this data has been injected?)

[silverhook]

@NicolasToussaint, I would say the new Ojo agent addresses this. Did you give it a try already and if so, please either close this issue or provide further info how to improve Ojo.

https://fossology.github.io/ojo.html

[NicolasToussaint]

Hi @silverhook,

I guess Ojo provides part of the solution, but I think that some aspects of the REUSE specifications are not addressed.

1. detecting the files like foo.jpg.license
2. handling the dep5 file
3. Verifying that the required license texts are present in the LICENSES folder

I suppose that Ojo could be enhanced to fill the missing items.

Maybe @mxmehl can help identify what else is missing to fully support the REUSE specifications ?

An extra option would be to display that a project is fully REUSE compliant (though I have know idea where).

[silverhook]

An extra option would be to display that a project is fully REUSE compliant (though I have know idea where).

I’m not sure FOSSology would be the right place for this. There are already external tools (e.g. reuse itself) and CI integrations that do that well.

Regarding the *.license files, I agree with you. I’m not a coder, but I imagine matching the license/© info from the {file}.license file with the {file} should be very doable.

Pulling in also @carmenbianca

[carmenbianca]

I'm fairly certain that confirming REUSE compliance is out of the scope of FOSSology. The following things seem in-scope, however:

• Detecting the SPDX tags recommended by REUSE. (SPDX-License-Identifier, SPDX-FileCopyrightText).
• Detecting .license files.
• Detecting the LICENSES/ directory.
• Parsing .reuse/dep5, possibly.

[NicolasToussaint]

I agree that displaying the REUSE conformance inside Fossology is not the ultimate goal - I just saw that as a cheap and nice bonus.

If the the 3 first points you mention are handled (not sure the  dep5 is worth the work either), all REUSE conformant uploads will turn green anyway, and that's what we're after.

[mxmehl]

For the record, I agree to the list brought forward by @carmenbianca.

I'm not sure whether the check of REUSE conformance inside FOSSology makes sense as the REUSE helper tool is more or less the safest, most up-to-date technique (with the specification) to confirm this. If we ever changed bits of the specification, we would also have to update FOSSology accordingly.

[NicolasToussaint]

Recap on this Issue:

• Detecting the SPDX tags recommended by REUSE.

  • SPDX-License-Identifier -> Done by Ojo agent
  • SPDX-FileCopyrightText -> Done

• Detecting .license files -> Done by ReSo agent (Detect 'foobar.license' files, as part of RESUE.Software standard #1833)

• Detecting the LICENSES/ directory -> To Do, proposition in Detecting licenses declared in LICENSE file and LICENSES folder #2214

• Parsing .reuse/dep5, possibly.

[silverhook]

This issue (esp. the {$file}.license being ignored) popped up again at the FOSDEM Tooling Fringe event.