-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
License entry from dep5 file not respected for some files #229
Comments
Ah, the latest version of reuse (0.10.0) has an outdated SPDX license list shipped with it. I'll release a 0.10.1 that has an updated license list. |
Thanks, I thought something like that, but why does it matter in this case? If I put a directory under a fixed license via |
The tool also verifies whether the used licenses are valid. This is handy to prevent accidents such as |
Well, I agree it makes sense to verify that the |
Uploaded https://pypi.org/project/reuse/0.10.1/, only change is an updated license list :)
Ahh, I think I get it. It doesn't actually ignore the files when dep5 is used—it draws from both sources. This is a little clunky admittedly. I vaguely remember discussing this design decision with someone. I'd love to figure out a way to make that less clunky. |
Thanks for the quick fix! But I still get:
So, looks like the
Indeed it is 😉 But thanks for being open about it! |
Oh, it has the tag inside of the license file itself. I don't have a quick fix for that immediately. Normally the license would be in LICENSES/, which is completely ignored. And the tool kind of explicitly doesn't have an "ignore" mechanism because that would undermine its purpose. This really shouldn't cause problems, but it makes the tool super ill-fitted for programs that focus on compliance. To make the tool compliant with itself, I've had to do a little bit of hackery. The simple workaround is to create a Other solutions require this program to be amended:
The most low-effort of these is to add a work-around for this very specific issue: If the file name is @mxmehl Do you have thoughts on this issue? Context: ORT ships a directory with all SPDX licenses. One of the SPDX licenses contains |
That makes sense, and I agree there shouldn't be an explicit ignore mechanism. But I still believe |
Correct. |
@mxmehl, did you have a chance to discuss this with @carmenbianca? |
Sorry, Github's new notification system still confuses me sometimes... For this specific case, I quite like the idea of the dep5 file overriding file content. However, in the general design, I usually prefer that the closer a definition is to the file, the more weight it should have. However, as we can see in this case, file content can be ambiguous and misleading, so I would suggest the following order: .license > dep5 > file content. My rationale: the .license file is closer to the file, and is completely under REUSE's control, so there should be no misleading content. The dep5 file would be the next possibility to define overrides. However, it's not logical in the sense that this would not be a preference chain nearest -> farthest or the other way round, so I'm split here. |
Yeah, I hate it, too 😉
I believe it is consistent if you only look at the "scope" of the overrides, leaving the file itself out of the chain: A broader override ( |
I've had scarce little time to do REUSE things past week. I'll look into this really soon. |
These licenses contain SPDX tags referring to themselves. This causes issues in <fsfe#229>. Ignoring them is a workaround. Signed-off-by: Carmen Bianca Bakker <[email protected]>
These licenses contain SPDX tags referring to themselves. This causes issues in <fsfe#229>. Ignoring them is a workaround. Signed-off-by: Carmen Bianca Bakker <[email protected]>
Released 0.11.0 that should be a stopgap solution until I can implement the proper order of precedence as suggested above. |
Thanks, version 0.11.0 worked for me! |
We have another incarnation of the issue with the |
@sschuberth Sorry for the super late response. Released v0.11.1 with a workaround. I'm a little scarce on time. |
Thanks @carmenbianca, one again your patched version 0.11.1 worked. |
However, I just realized the REUSE web site itself seems to use an older version than 0.11.1 as ORT is marked as not compliant there 😭 |
@mxmehl ? Also I'll be able to review a lot of the open issues in a few weeks or so. I am currently in the process of writing my thesis, so that's eating into a lot of my time. |
Sorry, the API server had to be updated to use the latest reuse tool version which I forgot after the 0.11.1 release. Looks good now ;) |
Thanks! You might want to keep this issue open, though, because the 0.11.1 release only contains a work-around for the real issue AFAIU. |
I ran into a variant of this in #253 (sorry, I see several loosely related issues around this topic so am somewhat repeating myself). ISTM the order of matching should be .license, if present ; imbedded in file, if present and parseable; and matched by dep5, if neither of the above. A tricky situation is if there's a wildcard in dep5 which captures a file that has its own license information. Generally you would want to use the information in the file but there might be cases where dep5 should override. Rather than invent a syntax for that and complexify things further, ISTM that so long as this situation is rare, the recommendation should be to add a .license file when an override of the file's own licensing information is required. |
I'll close this in favour of fsfe/reuse-docs#70 where we work on defining the precendence of REUSE information. As the spec changes, it will be worked in the helper tool at the same time. |
Our automated
reuse lint
check fails for this PR although all files in that directory are set to have a different license.Still,
reuse
only complains aboutCAL-1.0
andCAL-1.0-Combined-Work-Exception
.Any idea why that is?
The text was updated successfully, but these errors were encountered: