[REUSE] Curl is now REUSE compliant!

Wed Jun 22 16:06:02 UTC 2022

Hi all,

I took the thread as a trigger to check what our scanners derive and made the following observations (not intended to be complete, but to simply to trigger thoughts):

1)	/curl-master/scripts/copyright.pl should be tagged as "GPL-3.0-or-later WITH Autoconf-exception-2.0" (to be validated) instead of just be "GPL-3.0-or-later" (HIDE)

2)	/curl-master/lib/curl_path.c includes an ISC snippet, but this is not marked with an SPDX-License-Identifier (HIDE)

3)	/curl-master/lib/sha256.c includes a quote that parts of the code are based on public domain. This is not captured. (HIDE)

4)	/curl-master/lib/md4.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)

5)	/curl-master/lib/md5.c includes contains code under Public Domain or simple redistribution terms (“heavily cut down BSD license”). This is not captured. (HIDE)

Being picky (while greetings go to Jilayne):

6)	/curl-master/lib/krb5.c contains a variant of the BSD-3-Clause. The SPDX-License-Identifier says BSD-3-Clause. In /curl-master/LICENSES/BSD-3-Clause.txt is however the standard/default text not matching the original license text. (OBFUSCATE)

Being extremely picky:

7)	The files

/curl-master/tests/data/test222
/curl-master/tests/data/test230
/curl-master/tests/data/test232
/curl-master/tests/data/test314
/curl-master/tests/data/test396
/curl-master/tests/data/test1123

contain references to X11 License and suggest that curl is under such license. I would propose to rework those test cases to not cause any ambiguity.

My biggest concern with REUSE is that it might HIDE or OBFUSCATE information (see items above). Just relying on the SPDX-License-Identifier does not provide the full truth. 

Currently we configure our scanner to intentionally excludes lines containing SPDX-License-Identifier tags, because we would like “to see through”.

I don’t want to say, that this is the final situation. But in case projects apply REUSE, I would require them to be as accurate as possible and identify all corner cases; otherwise it just adds further work and ambiguity.

Just my thoughts…

Regards,
Karsten

On 22.06.22, 14:22, "REUSE on behalf of Sebastian Crane" <reuse-bounces at lists.fsfe.org on behalf of seabass-labrax at gmx.com> wrote:

    On Mon, Jun 13, 2022 at 04:29:31PM +0200, Lina Ceballos wrote:
    > Hi all,
    >
    > Since Max is on leave for some weeks, I have the honour to share some
    > success story with you today!
    >
    > The FSFE's REUSE booster team has been in close communication with the curl
    > team and after some feedback loop, this pull request got merged today:
    > https://github.com/curl/curl/pull/8869

    This is wonderful news! I've been eager to see the results from the
    REUSE Booster programme, so am thrilled to hear about this.

    Best wishes,

    Sebastian
    _______________________________________________
    REUSE mailing list
    REUSE at lists.fsfe.org
    https://lists.fsfe.org/mailman/listinfo/reuse

    This mailing list is covered by the FSFE's Code of Conduct. All
    participants are kindly asked to be excellent to each other:
    https://fsfe.org/about/codeofconduct