Guidelines and HOWTOs/Licensing: Difference between revisions
(Improve phrasing of the introduction) |
No edit summary |
||
Line 111: | Line 111: | ||
* download : Download the specified license into the LICENSES/ directory. | * download : Download the specified license into the LICENSES/ directory. | ||
* lint : Verify the project for REUSE compliance. | * lint : Verify the project for REUSE compliance. | ||
== Frequently Asked Questions == | |||
=== Shall I add a COPYING or COPYING.LIB file to my repository? === | |||
No. Those files shall be replaced completely by files with a standardized naming and canonical license texts in the <code>LICENSES/</code> subfolder of your repository. All files in that folder shall follow the REUSE specification. | |||
[https://phabricator.kde.org/T12730 Discussion took place here.] |
Revision as of 07:59, 17 August 2020
This document explains how to state license information in KDE projects according to the KDE Licensing Policy. Stating licenses correctly is a very important task, because only correctly licensed software can be distributed and delivered to our users.
Introduction
Every source code file shall contain information about its license to inform the user of the file how it may be used. Such information is usually added in the form of source code comments at the top of the file. Traditionally, those comments were formulated as so-called "license headers", which are either the complete license texts or short texts that explain where to find the license text for the file along with some legal constraints. Nowadays, this system is getting replaced with "SPDX Expressions", which should become the default way to state a license (see REUSE.software).
REUSE.software
REUSE.software is an initiative by the Free Software Foundation Europe (FSFE), which provides recommendations to make licensing easier. Their guidelines state how to use SPDX identifier to easier license statements in source files. When following their recommendations, the correct statement of license information can be tested by the "reuse" Python tool, which checks the syntactical correctness of the license statements and the overall conformance with the REUSE specification:
SPDX Identifiers and Expressions
Software Package Data Exchange® (SPDX) is an open standard for communicating software bill of material information. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The idea is to have a public registry of all open source licenses and important license exceptions, such that license statements can be reduced to simply stating short license identifiers.
Complex Expressions
Not every source code is licensed under just one license. For example, you might want to state that a file can be used under the terms for the BSD-2-Clause license or under the terms of the GNU Public License version 2 or later. For these cases, the SPDX workgroup also provides a specification how state complex license statements (which we call "SPDX expressions"). The SPDX expression language also allows tooling based syntax checks, which enables us to use tools to check the correctness of license statements.
For SPDX expressions that do not only consist of one SPDX identifier, the following keywords can be used (for details, see SPDX specification):
- OR
- AND
- WITH
The preference order of these operators is as stated above (cf. SPDX Specification, Appendix IV), where a lower order operator is applied before a higher order operator. For example, for GPL-3.0-only OR LGPL-2.1-only_WITH_Qt-LGPL-exception-1.1
the Qt-LGPL-exception-1.1 applies only when using the code under the LGPL-2.1 license.
SPDX Expression Examples
A REUSE compliant license statement always has the form to first state the copyright holders and then to specify the license or licenses under which the source code can be used. The following example states that both Jane Doe and John Doe hold copyrights of the source code and that it can be used under the Lesser GNU Public License version 2.1 or any later version of this license:
/* * SPDX-FileCopyrightText: 2019 Jane Doe <[email protected]> * SPDX-FileCopyrightText: © 2019 John Doe <[email protected]> * * SPDX-License-Identifier: LGPL-2.1-or-later */
License Statements
We follow the recommendations from reuse.software how to state license and copyright information. You can use the following template and fill it with the missing information:
/* * SPDX-FileCopyrightText: <year> <name> <contact-address> * SPDX-FileCopyrightText: <year> <name> <contact-address> * ... * * SPDX-License-Identifier: <SPDX-expression> */
SPDX-FileCopyrightText or Copyright Statement
A copyright statement shall always contain the name of the copyright holder, the year of publication and a contact address. Any of the following examples is correct:
Copyright 2016, 2018-2019 Joe Anybody <[email protected]>
Copyright (c) Alice Coder
SPDX-FileCopyrightText: 2019 Jane Doe <[email protected]>
SPDX-FileCopyrightText: © 2019 John Doe <[email protected]>
© Example Corporation <https://corp.example.com>
For copyright statements, please use the following checklist:
- Prefer "Copyright" or "SPDX-FileCopyrightText:" to state the copyright holders.
- State the copyright information in the order: year, name, contact address.
- Any contact address should be stated in angle brackets.
- The year of publication can be a single year, multiple years, or a span of years.
SPDX-License-Identifier Statement
The SPDX-License-Identifier
tag must be followed by a valid SPDX License Expression.
Here are several example statements from the KDE project. For the list of all allowed licenses in the KDE project, please see the KDE Licensing Policy:
SPDX-License-Identifier: LGPL-2.1-or-later
SPDX-License-Identifier: LGPL-2.1-only OR LGPL-3.0-only OR LicenseRef-KDE-Accepted-LGPL
SPDX-License-Identifier: LGPL-2.1-only WITH Qt-LGPL-exception-1.1
SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
SPDX-License-Identifier: GPL-2.0-or-later
SPDX-License-Identifier: GPL-3.0-or-later
SPDX-License-Identifier: MIT
SPDX-License-Identifier: BSD-2-Clause
License Texts
Each repository shall contain a folder LICENSES/
in the root of the repository. In this folder, there shall be a license file for all (and only for those!) SPDX Identifiers that are used inside the project. The license file must be in plain text and state the license text.
For all SPDX identifiers and exception identifiers that are listed in the SPDX registry, use the https://github.com/fsfe/reuse-tool to download the correct license test with:
reuse download <IDENTIFIER>
For example, in order to download the "LGPL-2.1-or-later" license file use the command reuse download LGPL-2.1-or-later
, which places the file into the LICENSES/
folder of your project.
All SPDX identifiers that start with "LicenseRef-" are custom identifiers (cf. SPDX Specification, Section 6), which are not listed in the SPDX registry. The correct license file contents for
- LicenseRef-KDE-Accepted-LGPL
- LicenseRef-KDE-Accepted-GPL
are listed in the KDE Licensing Policy.
For details, check REUSE.software specification, Section "License Files".
License Tooling
As we follow the reuse.software specification, we can use their compliance tool to check the correctness of license statements. The tool is available via https://github.com/fsfe/reuse-tool or can simply be installed via pip:
pip3 install reuse
For details, see the README.md file. The most important options are:
- download : Download the specified license into the LICENSES/ directory.
- lint : Verify the project for REUSE compliance.
Frequently Asked Questions
Shall I add a COPYING or COPYING.LIB file to my repository?
No. Those files shall be replaced completely by files with a standardized naming and canonical license texts in the LICENSES/
subfolder of your repository. All files in that folder shall follow the REUSE specification.
Discussion took place here.