0052 REUSE for package license linting

REUSE for package license linting #

Summary #

Utilize REUSE for package license linting for all package sources.

Motivation #

While Arch Linux package sources have an explicit license through RFC40, externally fetched sources used for packaging are not explicitly marked with a license.

REUSE is a specification from the Free Software Foundation Europe (FSFE) that allows downstream projects to clearly map copyright and license information to sources in package repositories.

Specification #

This RFC is written with REUSE 3.3 in mind.

To ensure that REUSE can recognize license and copyright information we have to add semantic annotations to our package sources. We can either pick between in-line comments or a REUSE.toml file.

As per the specification, all files that are capable of supporting comments should have the SPDX-FileCopyRightText and SPDX-License-Identifier in the start of the files with the values Arch Linux contributors and 0BSD respectively. This is to ensure a tighter association between the license and copyright terms with the appropriate source code.

Example:

# SPDX-FileCopyrightText: Arch Linux contributors
# SPDX-License-Identifier: 0BSD

Files that can’t be annotated with comments can be covered through the use of REUSE.toml file.

Example including some auxiliary files:

version = 1

[[annotations]]
path = [
    "PKGBUILD",
    ".SRCINFO",
    ".nvchecker.toml",
    "*.install",
    "keys/**",
    "*.sysusers",
    "*.tmpfiles"
    ]
SPDX-FileCopyrightText = "Arch Linux contributors"
SPDX-License-Identifier = "0BSD"

As another example, the usd package contains several patches that belongs to the upstream sources. A separate section should be added to describe these files.

[[annotations]]
path = [
    "usd-defaultfonts.patch",
    "usd-embree42.patch",
    "usd-find-dependency-OpenGL.patch",
    "usd-tbb.patch"
    ]
SPDX-License-Identifier = "Apache-2.0"
SPDX-FileCopyrightText = "Copyright 2016 Pixar"

The SPDX identifiers in the top of the file can be omitted in favour of the REUSE.toml file at the maintainers discretion.

Licenses need to be downloaded to the LICENSE/ directory. This can be automated through reuse download.

Linting for compliance with REUSE can be done through the reuse lint tool.

Drawbacks #

Compliance with REUSE can take a bit of time as it can’t be fully automated.

Unresolved Questions #

None.

Alternatives Considered #

Using a single license for all files is an alternative that would cause difficult problems. For example, some auxiliary files might be provided by third parties under a different license than the rest of the package sources. Patches would be harder to upstream. Another alternative might be to eschew automated tooling. Instead, per-file license headers or prose describing per-file licenses in e.g. README.md might be used to keep it simple. This approach has several drawbacks: First, some files like binaries cannot contain easy-to-read license headers. Second, prose descriptions cannot be parsed by tooling, making it harder to use work with package sources inside Arch and across the wider Arch ecosystem. For example, it would be almost impossible to search for unlicensed files across package sources. Third, adding license header comments manually is error-prone and easy to forget.

March 3, 2025