Dear all,
It occurred to me today what a beautifully elegant solution REUSE offers to one of the most frequent frustrations in FOSS licence compliance.
Free and open source projects are often developed with the assumption that contributions are made in good-faith, but this sometimes means that it can go a long time before licensing issues are noticed. One familiar occurrence is for a project to contain files with ambiguous copyright status, as they were copied from an earlier project. Another is where a 'public domain' declaration was made for some files, but it isn't clear whether or not this is actually compatible with the FOSS licence covering the project.
Free software distributions like Debian or Fedora have lots of issue tracker, email and forum threads about precisely such situations. Often, the agreed course of action is to "wait until the problem is fixed upstream before packaging the software", but this decision can get forgotten just as easily as the upstream issue was missed in the first place. Thus, the ongoing licence compliance and resolution is based on the 'organisational knowledge' of various groups in the supply chain between upstream FOSS projects and their varied users and distributors.
If the upstream project utilizes REUSE, however, the problem becomes a lot easier to keep track of. The questionably licensed files can be annotated with statements such as this:
// SPDX-License-Identifier: LicenseRef-FIXME-Unknown-Author
As per the REUSE specification, there would be a file at the path LICENSES/LicenseRef-FIXME-Unknown-Author.txt in which useful background about the issue could be stored.
This doesn't abuse the SPDX License List, because SPDX is explicit in declaring that 'LicenseRef' identifiers are local in scope to the Software Bill of Materials in which they are used. In the context of REUSE, this translates to being local in scope to the source code repository of the REUSE-compliant FOSS project. LicenseRef identifiers are never assumed to have any inherent or universal meaning.
I think this seems such a powerful case for employing REUSE because it is equally visible to legal experts and software engineers.
A licence compliance specialist doing an audit of the project (be that on behalf of another free software project like Debian or a commercial redistributor) would start by looking at the LICENSES directory. Immediately, the files like LicenseRef-FIXME-Unknown-Author.txt would be apparent, and a quick invocation of the 'reuse' program on the command line would point to the exact files whose licensing was in question.
Just as naturally would the issue be apparent to a software engineer working on the FOSS project (or, indeed, a fork or vendored copy of the FOSS project). The SPDX-License-Identifier comments or associated '.license' files would clearly state 'FIXME', a frequently-used term to mark any kind of potential problem with a piece of code, and one that is even highlighted by default in many code editors. As with the licence compliance specialist, the software engineer can find exactly where to look for more information.
Hopefully my ruminations in this email might inspire others to make REUSE an essential mechanism for how they go about free and open source licence compliance, and illustrates one case of REUSE not just being a mere alternative to monolithic COPYING or LICENSE files. With all the conventional licensing and copyright information neatly arranged according to REUSE, you can make problematic details stand out much more effectively.
Best wishes,
Sebastian