Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Partial SPDX detection lead to failing lint in 2.0 #771

Closed
mrdrogdrog opened this issue Jun 21, 2023 · 10 comments
Closed

Partial SPDX detection lead to failing lint in 2.0 #771

mrdrogdrog opened this issue Jun 21, 2023 · 10 comments
Labels
documentation Missing or wrong documentation

Comments

@mrdrogdrog
Copy link

mrdrogdrog commented Jun 21, 2023

Hello,

we tried to update reuse to 2.0 but it fails when linting our files and we assume that the snippet detection is the culprit.

Following situation:
Our repository contains a file for JetBrains IDEs so it can automatically renew/add a copyright to source files.

<component name="CopyrightManager">
  <copyright>
    <option name="notice" value="SPDX-FileCopyrightText: $today.year The HedgeDoc developers (see AUTHORS file)&#10;&#10;&#83;PDX-License-Identifier: AGPL-3.0-only" />
    <option name="myName" value="hedgedoc" />
  </copyright>
</component>

To make the linter happy we have a rule in our dep5 file that applies to this file:

Files: .idea/**
Copyright: 2021 The HedgeDoc developers (see AUTHORS file)
License: CC0-1.0

Now here comes the problem:

Reuse 2 scans this file, finds the SPDX snippet and assues another license.

reuse.project - WARNING - Copyright and licensing information for '.idea/copyright/hedgedoc.xml' have been found in '.idea/copyright/hedgedoc.xml' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

Which results in a failure:

The following files have no licensing information:
* .idea/copyright/hedgedoc.xml

Is there any way to deactivate the snippet detection? Or to exclude files?

@mrdrogdrog
Copy link
Author

This is not the only file that is failing:

reuse.project - WARNING - Copyright and licensing information for 'docs/content/legal/developer-certificate-of-origin.txt' have been found in 'docs/content/legal/developer-certificate-of-origin.txt' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

[...]

The following licenses are not used:
* LicenseRef-DCO


# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* .idea/copyright/hedgedoc.xml
* docs/content/legal/developer-certificate-of-origin.txt

file content:

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

dep5:

Files: docs/content/legal/developer-certificate-of-origin.txt
Copyright: 2004, 2006 The Linux Foundation and its contributors.
License: LicenseRef-DCO

@mrdrogdrog
Copy link
Author

Using a .license file also doesn't help

reuse.project - WARNING - Copyright and licensing information for '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs' have been found in '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

@linozen
Copy link
Member

linozen commented Jun 21, 2023

Hey @mrdrogdrog,

We anticipated that the (now defined and enforced) order of precedence will cause some problems but internally came to the conclusion that it's still needed (hence the new major version).

Using a .license file also doesn't help

The warning should persist in this case but REUSE compliance should again be achieved. Is that not the case? What is the exit of this command when you use the .license file?

reuse.project - WARNING - Copyright and licensing information for '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs' have been found in '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

The warning is there just to make sure that the user is aware that there are multiple sources of information but only one is used.

@mrdrogdrog
Copy link
Author

Creating .license files worked.

So it seems like the hierarchy is

  • .license files
  • header
  • snippet detection
  • dep5 file

It would be nice if you would add a mention to the README about this. :)

@mxmehl
Copy link
Member

mxmehl commented Jun 21, 2023

May I ask what you mean by "snippet detection"? A snippet should be treated the same way as a comment on the file header AFAIK.

@mrdrogdrog
Copy link
Author

mrdrogdrog commented Jun 21, 2023

Oh sure. I'm not sure if it's the right term. I mean the partial detection of license information.
I stumbled over this term when reading the changelog of the reuse 2 release and it got stuck in my head.
Please correct me if i'm using it wrong.

@carmenbianca carmenbianca added the documentation Missing or wrong documentation label Jun 21, 2023
@carmenbianca
Copy link
Member

carmenbianca commented Jun 21, 2023

This change is documented in two places, but may need to be documented in more.

Currently:

Future:

  • Somewhere else in this repository, probably. README? The Sphinx docs?

@sebix
Copy link

sebix commented Jun 21, 2023

I honor the effort which went into the new features, but I also thinkt that the new behaviour is not intuitive.
As of now, files which are excluded via dep5 (e.g. debian/*), are checked by snippet detection and give an error (e.g. debian/changelog).

I suggest that files which are explicitly excluded in dep5 are treated as excluded and should not raise errors.
Here you can find such a run: https://github.com/certtools/intelmq/actions/runs/5333484167/jobs/9664008913

reuse.project - WARNING - Copyright and licensing information for 'docs/_static/n6/data-flow.png' have been found in 'docs/_static/n6/data-flow.png.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
reuse.project - WARNING - Copyright and licensing information for 'contrib/logcheck/README.md' have been found in 'contrib/logcheck/README.md' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
reuse.project - WARNING - Copyright and licensing information for 'debian/copyright' have been found in 'debian/copyright' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* debian/copyright

@mrdrogdrog mrdrogdrog changed the title SPDX snippets lead to failing lint in 2.0 Partial SPDX detection lead to failing lint in 2.0 Jun 21, 2023
@carmenbianca
Copy link
Member

I will close this issue and refer to #779. The above use-case mentioned by @sebix is covered in the linked issue, and we will have a solution for that while also defining a clear order of precedence.

Thanks for the swift responses, and apologies for the few hours of broken workflow.

@mrdrogdrog
Copy link
Author

Thanks for taking care so quickly ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Missing or wrong documentation
Projects
None yet
Development

No branches or pull requests

5 participants