Description
What would I like to achieve?
I'm in the process of transitioning some templates to the REUSE standard and am wondering how to document the origin of third-party code. For example, given the following snippet, license and copyright information can be conveyed as specified by the REUSE standard and can be extracted by calling reuse spdx:
// SPDX-SnippetBegin
// The following function is from Awesome Project V 0.9
// (https://github.com/awesome/project/tree/v0.9)
// SPDX-SnippetCopyrightText: 2008, 2011 John McMaster
// SPDX-SnippetCopyrightText: 2012-2014 Awesome Inc., Other Ltd.
// SPDX-License-Identifier: LicenseRef-MIT-AwesomeProject
namespace awesome {
void sayHello() {
std::cout << "Hello, awesome world!" << std::endl;
}
}
// SPDX-SnippetEndHowever, I don't know how the original location (i.e., lines 2,3 in the above example) would be specified as per REUSE (e.g., purl, download location, commit hash, file comment, ...).
Possible Solution
I do understand that the REUSE standard is focused on license and copyright information and that we probably do not want to formally specify how to deal with the use case described above (or many others that may pop up). On the other, I think it would be very valuable to handle the snippet's original location in the example above in a way that's compatible with the spec and ideally with the same tool.
It seems to be quite natural to add additional information as the "origin" of a third-party snippet with some other SPDX-* -identifier. So, how about the following approach:
- add a section to the docs or to the FAQ on "How to add additional information" possibly with an opinionated suggestion on how to deal with the use-cases we know about
- add a feature to the reuse tool's spdx command to just collect additional
SPDXtag-value data using the same logic as for parsing the license and copyright information from source files andREUSE.tomls?
That way the spec on what REUSE compliance means stays concise and focused on license and copyright information. Still, there's an easy way to add additional information which can be extracted reusing the reuse tool and then processed further by other means.
References
This is a follow-up to a recent thread "[REUSE] Listing the "source" of third-party artifacts" on the mailing list and also relates to the following issues: