Skip to content

Latest commit

 

History

History
263 lines (193 loc) · 10.3 KB

spec.md

File metadata and controls

263 lines (193 loc) · 10.3 KB
Raw
title
REUSE Specification – Version 3.1

This specification defines a standardized method for declaring copyright and licensing for software projects. The goal of the specification is to have unambiguous, human- and machine-readable copyright and licensing information for each individual file in a project. Ideally this information is embedded into every file, so that the information is preserved when the file is copied and reused by third parties.

This specification implements IETF RFC 2119: Key words for use in RFCs to Indicate Requirement Levels.

For the revision history of this specification, please see the change log.

Definitions

These are the definitions for some of the terms used in this specification:

  • REUSE Tool --- helper tool for compliance with this Specification; available at https://github.com/fsfe/reuse-tool.

  • Project --- any unit of content that can be associated with a distribution of software. Typically, a Project is composed of one or more files. Also sometimes called a package.

  • License File --- a file containing the text of a license.

  • Copyright and Licensing Information --- the information that lists the copyright holders of a file or work, and describes under which licenses the file or work is made available.

  • Covered File --- any file in a Project, except for

    • The License Files.
    • The files belonging to the Project's version control system (example: .git/).
    • The files ignored by the version control system (example: files listed in .gitignore).
    • Submodules of the Project's version control system and Meson subprojects. Each submodule and Meson subproject is understood as a separate Project.
    • The files in the .reuse/ directory in the root of the Project. This directory MUST contain only files relevant for the operation of the REUSE Tool.
    • Symlinks and files with no data (zero-byte).
    • SPDX documents in their various formats as defined in the SPDX Specification, Clause 4.4 (example: sbom.spdx.json).

  • Commentable File --- a plain text file that can contain comments.

  • Uncommentable File --- either a plain text file that cannot contain comments or a file that is not a plain text file.

  • SPDX Specification --- SPDX specification, version 2.3; as available on https://spdx.org/specifications.

  • SPDX License Identifier --- SPDX short-form identifier, as defined in SPDX Specification. See also https://spdx.org/ids for a short introduction and examples.

  • SPDX License Expression --- as defined in SPDX Specification, Annex D, at https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/.

  • SPDX License List --- a list of commonly found licenses and exceptions; as available on https://spdx.org/licenses/.

  • DEP5 --- Machine-readable debian/copyright file, Version 1.0. Where the REUSE Specification and DEP5 state different things, the REUSE Specification takes precedence. Specifically in the case of the Copyright and License tags.

License Files

A Project MUST include a License File for every license under which Covered Files are licensed.

Each License File MUST be placed in the LICENSES/ directory in the root of the Project. The name of the License File MUST be the SPDX License Identifier of the license followed by an appropriate file extension (example: LICENSES/GPL-3.0-or-later.txt). The License File MUST be in plain text format.

If a license does not exist in the SPDX License List, its SPDX License Identifier MUST be LicenseRef-[idstring] as defined by the SPDX Specification, Clause 10 available at https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/.

A Project MUST NOT include License Files for licenses under which none of the files in the Project are licensed.

Everything that applies to licenses in this section also applies to license exceptions, with the exception that it is NOT possible to have a license exception that does not exist in the SPDX License List.

For avoidance of doubt, in practice this means that for every license and exception that is part of any SPDX License Expression in any Copyright and Licensing Information associated with any Covered File, there MUST exist a License File as defined in this section.

Copyright and Licensing Information

Each Covered File MUST have Copyright and Licensing Information associated with it. There are two ways to associate Copyright and Licensing Information with a file. In addition, there is a way to associate Copyright and Licensing Information with a snippet.

Comment headers

To implement this method, each Commentable File SHOULD contain comments at the top of the file (comment header) that declare that file's Copyright and Licensing Information.

For Uncommentable Files, the comment header that declares the file's Copyright and Licensing Information SHOULD be in an adjacent UTF-8 encoded text file of the same name with the additional extension .license (example: cat.jpg.license if the original file is cat.jpg).

.license files MAY be used with Commentable Files, but it is still RECOMMENDED that comment headers be put inside Commentable Files.

The comment header MUST contain one or more SPDX-FileCopyrightText tags, and one or more SPDX-License-Identifier tags. A tag is followed by a colon, followed by a text value, and terminated by a newline.

The SPDX-FileCopyrightText tag MUST be followed by a copyright notice.

Instead of the SPDX-FileCopyrightText tag, the symbol ©, or the word Copyright MAY be used, in which case a colon is not needed.

The SPDX-License-Identifier tag MUST be followed by a valid SPDX License Expression describing the licensing of the file (example: SPDX-License-Identifier: GPL-3.0-or-later OR Apache-2.0). If separate sections of the file are licensed differently, a different SPDX-License-Identifier tag MUST be included for each section.

An example of a comment header:

# SPDX-FileCopyrightText: 2016, 2018-2019 Jane Doe <[email protected]>
# SPDX-FileCopyrightText: 2019 Example Company
#
# SPDX-License-Identifier: GPL-3.0-or-later

If these tags are additionally used in the file without describing the file's actual license or copyright but for example as part of an output command or documentation, these occurrences MAY be put between two comments: REUSE-IgnoreStart and REUSE-IgnoreEnd. The REUSE Tool then ignores all tags within. This technique MUST NOT be used to ignore valid tags for licensing or copyright.

An example for an ignored block:

# SPDX-FileCopyrightText: 2021 Jane Doe
#
# SPDX-License-Identifier: GPL-3.0-or-later

# REUSE-IgnoreStart
echo "SPDX-FileCopyrightText: $(date +'%Y') John Doe" > file.txt
echo "SPDX-License-Identifier: MIT" > file.txt
# REUSE-IgnoreEnd

In-line snippet comments

If a copyright and/or licensing info is to apply only to a certain snippet instead of the whole file, SPDX snippet tags SHOULD be used (as defined in SPDX Specification, Annex H).

Such an annotated snippet block MUST start with SPDX-SnippetBegin to mark its beginning and end with SPDX-SnippetEnd to mark the snippet's end.

Do note that SPDX snippet tags MUST start with SPDX-Snippet, meaning that the correct copyright notice in a snippet is SPDX-SnippetCopyrightText.

Example:

# SPDX-SnippetBegin
# SPDX-License-Identifier: MIT
# SPDX-SnippetCopyrightText: 2022 Jane Doe <[email protected]>

{$snippet_code_goes_here}

# SPDX-SnippetEnd

Snippets may nest, and this is denoted by having SPDX-SnippetBegin/SPDX-SnippetEnd pairs within other pairs, in the same way that parentheses nest in mathematical expressions. In the case of nested snippets, the SPDX file tags are considered to apply to the inner-most snippet.

DEP5

Alternatively, Copyright and Licensing Information MAY be associated with a file through a DEP5 file. The intended use case of this method is large directories where including a comment header in each file (or in .license companion files) is impossible or undesirable.

The DEP5 file MUST be named dep5 and stored in the .reuse/ directory in the root of the Project (i.e. .reuse/dep5).

The License tag MUST be followed by a valid SPDX License Expression describing the licensing of the associated files.

The Copyright tag MUST be followed by a copyright notice.

An example of a DEP5 file:

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Project
Upstream-Contact: Jane Doe <[email protected]>
Source: https://example.com/jane/project

Files: po/*
Copyright: 2019 Translation Company
License: GPL-3.0-or-later

Order of precedence

Copyright and Licensing Information is considered according to the following order of precedence:

  1. Information defined in the .license file.
  2. Information defined in the Commentable File.
  3. Information defined in .reuse/dep5.

There is no merging of information from different sources. Only the source with the highest precedence is considered.

Format of copyright notices

A copyright notice MUST be prefixed by a tag, symbol or word denoting a copyright notice as described in this specification.

The copyright notice MUST contain the name of the copyright holder. The copyright notice SHOULD contain the year of publication and the contact address of the copyright holder. The order of these items SHOULD be: year, name, contact address.

The year of publication MAY be a single year, multiple years, or a span of years.

The copyright holder MAY be an individual, list of individuals, group, legal entity, or any other descriptor by which one can easily identify the copyright holder(s).

Any contact address SHOULD be in between angle brackets.

Examples of valid copyright notices:

SPDX-FileCopyrightText: 2019 Jane Doe <[email protected]>
SPDX-FileCopyrightText: © 2019 John Doe <[email protected]>
© Example Corporation <https://corp.example.com>
Copyright 2016, 2018-2019 Joe Anybody
Copyright (c) Alice