Hello, On Mon, Jan 6, 2020 at 10:43 PM Cornelius Schumacher <[email protected]> wrote: > > On Sunday, 5 January 2020 16:40:20 CET Andreas Cord-Landwehr wrote: > > Hi, I want to propose to allow SPDX-based [5] and REUSE.software [1] > > compatible license statements as a new option in our KDE licensing policy. > > This is great. Thanks for working on this. Very nicely done. > > > Here is my policy update proposal: > > * Proposal: > > https://community.kde.org/Policies/Licensing_Policy/Draft_SPDX_v2 * Diff to > > current policy: https://community.kde.org/index.php? > > title=Policies%2FLicensing_Policy%2FDraft_SPDX_v2&type=revision&diff=87138&o > > ldid=87134
<snip> > It would also be nice to have examples for license headers which don't use the > full text of the headers but only the SPDX identifiers as specified by REUSE. > This is the more concise version and I think the one we would like to settle > on longer term. So it would be good to have explicit examples which show how > this will look like. That could be a later step, though. On an aside note.... One of the hidden gems of adopting REUSE/SPDX is to be able to split what today we call "software license compliance" into two different activities (the names are not standarised): * Conformance: is the right license/copyright information present? Is it in the right format, in the right place? Does it meet the project/organization policy? etc. * License clearance: is the license correct? How is the license affected by the dependencies? Are the license clause being violated? Is license A compatible with license B? etc.. The conformance step can be easily adopted in CI/CD pipelines through simple checks (tests), prior to the code review process, for instance, helping in the education of developers about licenses and copyrights through inmediate feedback against well defined policies, instead of waiting for complete scans to finish, sometimes complex reports and results reviews done by experts. This split turns Conformace into a 100% engineering activity which helps to partially prevent license compliance engineers and lawyers/experts from becoming bottlenecks. It reduces costs, specially in big projects. This is true not just for upstream projects but also for integrators and distributors, like distros, no matter if they are package based (.deb or .rpm, for instance) or declarative (Yocto, BuildStream, for instance). So by adopting REUSE/SPDX we would be helping downstream projects to adopt our software, not just ourselves. I sometimes explain this side effect making an analogy with unit tests and integration tests. > > -- > Cornelius Schumacher <[email protected]> > > Agustin Benito (toscalix) KDE eV member Profile: http://www.toscalix.com
