[REUSE] Curl is now REUSE compliant!

Max Mehl max.mehl at fsfe.org
Thu Jul 28 09:13:13 UTC 2022 

Hi Karsten,

~ Karsten Klein [2022-06-22 18:06 +0200]:
> I took the thread as a trigger to check what our scanners derive and
> made the following observations (not intended to be complete, but to
> simply to trigger thoughts):

Thanks for taking this as a chance to make a thorough check of the
project. It highlights how a variety of tools and multiple pairs of eyes
are needed to capture the complexity of a project like curl.

I took the liberty to create an issue upstream as this is best to be
discussed there. I also added some comments behind the points on how
these can be addressed with REUSE:

  https://github.com/curl/curl/issues/9220

> My biggest concern with REUSE is that it might HIDE or OBFUSCATE
> information (see items above). Just relying on the
> SPDX-License-Identifier does not provide the full truth. 

Of course. REUSE, as most best practices, is not meant to be the single
point of truth or the silver bullet to all problems in its sphere. It's
an intentionally simple practice to mark files and get an overview for
humans and machines of licensing and copyright – for the project's
developers, re-users, compliance folks etc.

> Currently we configure our scanner to intentionally excludes lines
> containing SPDX-License-Identifier tags, because we would like “to see
> through”.
> 
> I don’t want to say, that this is the final situation. But in case
> projects apply REUSE, I would require them to be as accurate as
> possible and identify all corner cases; otherwise it just adds further
> work and ambiguity.

I, foreseeably, would see it the other way round. Especially for
projects that adopt REUSE from the start, it usually is a great resource
and helps its developers to keep track of special cases like included
snippets under different copyright and license, third-party libraries,
dual-licensing and so on. Retroactively identifying and fixing these is
much harder (see Linux) and – as we see it here – also prone to
mistakes.

But it's still worth it! Many more people have a much better
understanding of curl's licensing now, including the maintainer. During
the process, we fixed some incompatible licensing and clarified a lot of
questions. Moreover, it now is a constant reminder for contributors and
maintainers to keep a closer look on potential licensing issues.

Best,
Max

-- 
Max Mehl - Programme Manager -- Free Software Foundation Europe
Contact and information: https://fsfe.org/about/mehl -- @mxmehl
The FSFE is a charity that empowers users to control technology

More information about the REUSE mailing list