Guidelines and HOWTOs/Licensing: Difference between revisions

From KDE Community Wiki
(reorganize introduction)
Line 1: Line 1:
This document explains how to state license information in KDE projects according to the [[Policies/Licensing_Policy|KDE Licensing Policy]]. Stating licenses correctly is a very important task, because only correctly licensed software can be distributed and delivered to our users.
This document explains how to state license information in KDE projects according to the [[Policies/Licensing_Policy|KDE Licensing Policy]]. Stating licenses correctly is a very important task, because only correctly licensed software can be distributed and delivered to our users.


== SPDX Expressions and REUSE.software ==
== Introduction ==
Every source code file shall contain an information about its license to inform the user of the file how it may be used. Such information are usually added in the form of source code comments at the top of the file. Traditionally, those comments stated so-called license headers, which are either the complete license texts or short texts that explain where to find the license text for the file and a few legal constraints. This system currently is getting replaced with "SPDX Expressions", which also should be the default way to state a license.
Every source code file shall contain an information about its license to inform the user of the file how it may be used. Such information are usually added in the form of source code comments at the top of the file. Traditionally, those comments stated so-called license headers, which are either the complete license texts or short texts that explain where to find the license text for the file and a few legal constraints. This system currently is getting replaced with "SPDX Expressions", which also should be the default way to state a license.


=== Introduction to SPDX Identifiers and Expressions ===
=== SPDX Identifiers and Expressions ===
[https://spdx.org/ Software Package Data Exchange® (SPDX)] is an open standard for communicating software bill of material information. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The idea is to have a public registry of all open source licenses and important license exceptions, such that license statements can be reduced to simply stating the license identifiers.
[https://spdx.org/ Software Package Data Exchange® (SPDX)] is an open standard for communicating software bill of material information. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The idea is to have a public registry of all open source licenses and important license exceptions, such that license statements can be reduced to simply stating the license identifiers.


Line 10: Line 10:
* https://spdx.org/licenses/exceptions-index.html
* https://spdx.org/licenses/exceptions-index.html


Yet, not every source code is licensed under just one license. For example, you might want to state that a file can be used under the terms for the BSD-2-Clause license or under the terms of the GNU Public License version 2 or later. For these cases, the SPDX workgroup also provides a specification how state complex license statements (which we call "SPDX expressions"). The SPDX expression language actually allow tooling based syntax checks, which enables us to use tools to check the correctness of license statements.
==== Complex Expressions ====
Not every source code is licensed under just one license. For example, you might want to state that a file can be used under the terms for the BSD-2-Clause license or under the terms of the GNU Public License version 2 or later. For these cases, the SPDX workgroup also provides a specification how state complex license statements (which we call "SPDX expressions"). The SPDX expression language actually allows tooling based syntax checks, which enables us to use tools to check the correctness of license statements.


* https://spdx.org/specifications
* https://spdx.org/specifications


==== SPDX Expression Examples ====
For SPDX expressions that do not only consist of one SPDX identifier, the following keywords can be used (for details, see [https://spdx.org/specifications SPDX specification]):
 
# OR
# AND
# WITH
 
The preference order of these operators is as stated above (cf. SPDX Specification, Appendix IV), where a lower order operator is applied before a higher order operator. For example, for <code>GPL-3.0-only OR LGPL-2.1-only_WITH_Qt-LGPL-exception-1.1</code> the Qt-LGPL-exception-1.1 applies only when using the code under the LGPL-2.1 license.
 
=== REUSE.software ===
[https://reuse.software REUSE.software] is an initiative by the Free Software Foundation Europe (FSFE), which provides recommendations to make licensing easier. Their guidelines state how to best state SPDX based license headers in source files and how to put license texts into the repository. When following their recommendations, the correct statement of license information can be tested by the "reuse" Python tool, which checkscheck the syntactical correctness of the license statements and the overall conformance with the REUSE specification:
 
* https://reuse.software/spec/
 
=== SPDX Expression Examples ===
A SPDX conform license statement is quite simple. It always has the form to first state the copyright holders and then it specifies the license or licenses under which the source code can be used:
A SPDX conform license statement is quite simple. It always has the form to first state the copyright holders and then it specifies the license or licenses under which the source code can be used:
<pre>
<pre>
Line 25: Line 39:
</pre>
</pre>


===== SPDX-FileCopyrightText or Copyright Statement =====
== License Statements ==
We follow the recommendations from [[https://reuse.software/spec/ reuse.software]] how to state copyright information. Any of the following examples is OK:
 
=== SPDX-FileCopyrightText or Copyright Statement ===
We follow the recommendations from [https://reuse.software/spec/ reuse.software] how to state copyright information. Any of the following examples is correct:


# <code>Copyright 2016, 2018-2019 Joe Anybody <[email protected]></code>
# <code>Copyright 2016, 2018-2019 Joe Anybody <[email protected]></code>
Line 34: Line 50:
# <code>© Example Corporation <https://corp.example.com></code>
# <code>© Example Corporation <https://corp.example.com></code>


For copyright statements please ensure the following:
For copyright statements, please ensure the following:


* Prefer "Copyright" or "SPDX-FileCopyrightText:" to state the copyright holders.
* Prefer "Copyright" or "SPDX-FileCopyrightText:" to state the copyright holders.
Line 41: Line 57:
* The year of publication can be a single year, multiple years, or a span of years.
* The year of publication can be a single year, multiple years, or a span of years.


===== SPDX-License-Identifier Statement =====
=== SPDX-License-Identifier Statement ===
The <code>SPDX-License-Identifier</code> tag must be followed by a valid SPDX License Expression.
The <code>SPDX-License-Identifier</code> tag must be followed by a valid SPDX License Expression.


Line 54: Line 70:
* <code>SPDX-License-Identifier: MIT</code>
* <code>SPDX-License-Identifier: MIT</code>
* <code>SPDX-License-Identifier: BSD-2-Clause</code>
* <code>SPDX-License-Identifier: BSD-2-Clause</code>
=== Introduction to REUSE.software ===
TODO
== Examples ==
TODO


== License Statement Tooling ==
== License Statement Tooling ==
TODO
TODO

Revision as of 10:19, 12 January 2020

This document explains how to state license information in KDE projects according to the KDE Licensing Policy. Stating licenses correctly is a very important task, because only correctly licensed software can be distributed and delivered to our users.

Introduction

Every source code file shall contain an information about its license to inform the user of the file how it may be used. Such information are usually added in the form of source code comments at the top of the file. Traditionally, those comments stated so-called license headers, which are either the complete license texts or short texts that explain where to find the license text for the file and a few legal constraints. This system currently is getting replaced with "SPDX Expressions", which also should be the default way to state a license.

SPDX Identifiers and Expressions

Software Package Data Exchange® (SPDX) is an open standard for communicating software bill of material information. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The idea is to have a public registry of all open source licenses and important license exceptions, such that license statements can be reduced to simply stating the license identifiers.

Complex Expressions

Not every source code is licensed under just one license. For example, you might want to state that a file can be used under the terms for the BSD-2-Clause license or under the terms of the GNU Public License version 2 or later. For these cases, the SPDX workgroup also provides a specification how state complex license statements (which we call "SPDX expressions"). The SPDX expression language actually allows tooling based syntax checks, which enables us to use tools to check the correctness of license statements.

For SPDX expressions that do not only consist of one SPDX identifier, the following keywords can be used (for details, see SPDX specification):

  1. OR
  2. AND
  3. WITH

The preference order of these operators is as stated above (cf. SPDX Specification, Appendix IV), where a lower order operator is applied before a higher order operator. For example, for GPL-3.0-only OR LGPL-2.1-only_WITH_Qt-LGPL-exception-1.1 the Qt-LGPL-exception-1.1 applies only when using the code under the LGPL-2.1 license.

REUSE.software

REUSE.software is an initiative by the Free Software Foundation Europe (FSFE), which provides recommendations to make licensing easier. Their guidelines state how to best state SPDX based license headers in source files and how to put license texts into the repository. When following their recommendations, the correct statement of license information can be tested by the "reuse" Python tool, which checkscheck the syntactical correctness of the license statements and the overall conformance with the REUSE specification:

SPDX Expression Examples

A SPDX conform license statement is quite simple. It always has the form to first state the copyright holders and then it specifies the license or licenses under which the source code can be used:

/*
 * SPDX-FileCopyrightText: 2019 Jane Doe <[email protected]>
 * SPDX-FileCopyrightText: © 2019 John Doe <[email protected]>
 *
 * SPDX-License-Identifier: LGPL-2.1-or-later
 */

License Statements

SPDX-FileCopyrightText or Copyright Statement

We follow the recommendations from reuse.software how to state copyright information. Any of the following examples is correct:

  1. Copyright 2016, 2018-2019 Joe Anybody <[email protected]>
  2. Copyright (c) Alice Coder
  3. SPDX-FileCopyrightText: 2019 Jane Doe <[email protected]>
  4. SPDX-FileCopyrightText: © 2019 John Doe <[email protected]>
  5. © Example Corporation <https://corp.example.com>

For copyright statements, please ensure the following:

  • Prefer "Copyright" or "SPDX-FileCopyrightText:" to state the copyright holders.
  • State the copyright information in the order: year, name, contact address.
  • Any contact address should be stated in angle brackets.
  • The year of publication can be a single year, multiple years, or a span of years.

SPDX-License-Identifier Statement

The SPDX-License-Identifier tag must be followed by a valid SPDX License Expression.

Here are several example statements from the KDE project. For the list of allowed licenses in the KDE project, please see the KDE Licensing Policy:

  • SPDX-License-Identifier: LGPL-2.1-or-later
  • SPDX-License-Identifier: LGPL-2.1-only OR LGPL-3.0-only OR LicenseRef-KDE-Accepted-LGPL
  • SPDX-License-Identifier: LGPL-2.1-only_WITH_Qt-LGPL-exception-1.1
  • SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
  • SPDX-License-Identifier: GPL-2.0-or-later
  • SPDX-License-Identifier: GPL-3.0-or-later
  • SPDX-License-Identifier: MIT
  • SPDX-License-Identifier: BSD-2-Clause

License Statement Tooling

TODO