[Reuse] How to handle non-compliant files in tarballs?

[Max Mehl]

Hi all,

We currently have the problem that the REUSE tool which you can download
from pypi [^1] actually is not REUSE compliant although the source code
itself is. This might also be true for many other projects who
distribute their releases through similar services.

The reason is that by compilation files are being created, e.g. binaries
or documentation, which do not carry license information nor are
accompanied with corresponding .license files. How shall we deal with
those?

Carmen and I discussed several options, but didn't find something
completely convincing. So please share your opinion to find a good
solution:

1. Ignore the whole problem and assume that people interested in reusing
   source code will find the source repo and start from there anyway.
   This would ignore the few cases in which FOSS projects do not have a
   publicly accessible VCS and are only published via tarballs
   containing such problematic files.

2. Recommend projects to always link to the source code repo in the
   README file so interested parties will always find the REUSE
   compliant code somewhere and do not reply on the released tarball.

3. Recommend projects to put the problematic files in the .gitignore
   file. REUSE will not take these files into consideration anyway.
   The problem is that people will probably remove this file from a
   packed release, and sites like pypi might to so as well.

4. Recommend projects to add the problematic files to a DEP5 file which
   is also shipped with the product.


What do you think?

Best,
Max 


[^1]: https://pypi.org/project/fsfe-reuse/

-- 
Max Mehl - Programme Manager - Free Software Foundation Europe
Contact and information: https://fsfe.org/about/mehl | @mxmehl
Become a supporter of software freedom:  https://fsfe.org/join