[REUSE] Curl is now REUSE compliant!
Karsten Klein
karsten.klein at metaeffekt.com
Wed Jun 22 16:06:02 UTC 2022
Hi all,
I took the thread as a trigger to check what our scanners derive and made the following observations (not intended to be complete, but to simply to trigger thoughts):
1) /curl-master/scripts/copyright.pl should be tagged as "GPL-3.0-or-later WITH Autoconf-exception-2.0" (to be validated) instead of just be "GPL-3.0-or-later" (HIDE)
2) /curl-master/lib/curl_path.c includes an ISC snippet, but this is not marked with an SPDX-License-Identifier (HIDE)
3) /curl-master/lib/sha256.c includes a quote that parts of the code are based on public domain. This is not captured. (HIDE)
4) /curl-master/lib/md4.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)
5) /curl-master/lib/md5.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)
Being picky (while greetings go to Jilayne):
6) /curl-master/lib/krb5.c contains a variant of the BSD-3-Clause. The SPDX-License-Identifier says BSD-3-Clause. In /curl-master/LICENSES/BSD-3-Clause.txt is however the standard/default text not matching the original license text. (OBFUSCATE)
Being extremely picky:
7) The files
/curl-master/tests/data/test222
/curl-master/tests/data/test230
/curl-master/tests/data/test232
/curl-master/tests/data/test314
/curl-master/tests/data/test396
/curl-master/tests/data/test1123
contain references to X11 License and suggest that curl is under such license. I would propose to rework those test cases to not cause any ambiguity.
My biggest concern with REUSE is that it might HIDE or OBFUSCATE information (see items above). Just relying on the SPDX-License-Identifier does not provide the full truth.
Currently we configure our scanner to intentionally excludes lines containing SPDX-License-Identifier tags, because we would like “to see through”.
I don’t want to say, that this is the final situation. But in case projects apply REUSE, I would require them to be as accurate as possible and identify all corner cases; otherwise it just adds further work and ambiguity.
Just my thoughts…
Regards,
Karsten
On 22.06.22, 14:22, "REUSE on behalf of Sebastian Crane" <reuse-bounces at lists.fsfe.org on behalf of seabass-labrax at gmx.com> wrote:
On Mon, Jun 13, 2022 at 04:29:31PM +0200, Lina Ceballos wrote:
> Hi all,
>
> Since Max is on leave for some weeks, I have the honour to share some
> success story with you today!
>
> The FSFE's REUSE booster team has been in close communication with the curl
> team and after some feedback loop, this pull request got merged today:
> https://github.com/curl/curl/pull/8869
This is wonderful news! I've been eager to see the results from the
REUSE Booster programme, so am thrilled to hear about this.
Best wishes,
Sebastian
_______________________________________________
REUSE mailing list
REUSE at lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/reuse
This mailing list is covered by the FSFE's Code of Conduct. All
participants are kindly asked to be excellent to each other:
https://fsfe.org/about/codeofconduct
More information about the REUSE
mailing list