REUSE compliance check fails on all PRs

[marikaner]

Since today our REUSE compliance check fails for no apparent reason an all PRs. Please take a look at this PR, where I just changed something in the README.md and the REUSE check complains about almost 1000 files not being licensed. This check worked before.
=> .dep5 file

I also realized that there are many warnings in the following format (I assume one for each missing file):

reuse.project - WARNING - Copyright and licensing information for '/github/workspace/<FILENAME>' have been found in '/github/workspace/<FILENAME>' and the DEP5 file located at '/github/workspace/.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* /github/workspace/<FILENAME>

The messages are confusing as the warning states that there are 2 sources of information, while the second message states that there is no source of information.

This seems related to #771.

[mrdrogdrog]

We had the same problem.
The reuse github action uses the latest docker image.

fsfe/reuse-action#21

I've linked a commit in the issue where we replaced the action with the docker image. This is our workaround for now to have consistent behaviour in the CI.

[mrdrogdrog]

I solved the license detection problem by placing .license files for files who can't have a SPDX header.

#771 (comment)

[linozen]

Hi @marikaner and thanks @mrdrogdrog for bringing up a potential solution here.

Since today our REUSE compliance check fails for no apparent reason an all PRs. Please take a look at this PR, where I just changed something in the README.md and the REUSE check complains about almost 1000 files not being licensed. This check worked before. => .dep5 file

Yes, we released a new major version today that defines and enforces an order of precedence for the sources of licensing and copyright information.

I also realized that there are many warnings in the following format (I assume one for each missing file):

reuse.project - WARNING - Copyright and licensing information for '/github/workspace/<FILENAME>' have been found in '/github/workspace/<FILENAME>' and the DEP5 file located at '/github/workspace/.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* /github/workspace/<FILENAME>

The messages are confusing as the warning states that there are 2 sources of information, while the second message states that there is no source of information.

What's confusing you about the message? It tells you first that there are multiple sources of copyright/licensing information. Then it tells you where they are (in your case the DEP5 file and the file contents). Then it tells you that it's going to use the file contents (override DEP5) as the file content has higher precedence.

This seems related to #771.

yes. And the way it can be fixed is the same.

[stephanlachnit]

Relevant part of the spec is https://reuse.software/spec/#order-of-precedence

But who thought this was a good idea? We have the case where we just dump an entire folder in the repo. I don't want to write 100 license files. Can we please have an option to let dep5 overwrite?

[mxmehl]

Relevant part of the spec is https://reuse.software/spec/#order-of-precedence

But who thought this was a good idea? We have the case where we just dump an entire folder in the repo. I don't want to write 100 license files. Can we please have an option to let dep5 overwrite?

Do the files in this folder already contain copyright and licensing information? If not, the information in dep5 is the one that "wins". If yes, what's the reason why 100 files are wrongly labelled?

[stephanlachnit]

Do the files in this folder already contain copyright and licensing information? If not, the information in dep5 is the one that "wins". If yes, what's the reason why 100 files are wrongly labelled?

The REUSE spec specifies:

Instead of the SPDX-FileCopyrightText tag, the symbol ©, or the word Copyright MAY be used, in which case a colon is not needed.

So, just the word "copyright" is enough to ignore everything in the reuse/.dep5 file. This is so common that it is basically every copied code file. The two proposed "solutions" are both not really sustainable

• Create a .license file: if you import many files in a subfolder, you just clutter this with .license files. And especially if you embed a folder, you might need to redo this process if there are files removed/added.
• Change the header of the embedded files: this is also not sustainable, since this is work you need to do every time you import a new version.

It's not really related to the tool, but I think the spec should be adjusted in one of the following ways:

• Remove the compatibility with the word copyright. This ensure that the information of the file is only taken if it actually follows the reuse spec
• Add an "overwrite" option to specify exactly which information takes preference. This is not really suitable in DEP-5, so this should only be done when the new REUSE.yaml spec is ready (cc @mxmehl)
• Add an option to use .license files also with entire folders.

Anyway, in the meantime we'll stick with 1.1.2 and I suspect we will not be the only ones :/

[carmenbianca]

So, just the word "copyright" is enough to ignore everything in the reuse/.dep5 file. This is so common that it is basically every copied code file. The two proposed "solutions" are both not really sustainable

• Create a .license file: if you import many files in a subfolder, you just clutter this with .license files. And especially if you embed a folder, you might need to redo this process if there are files removed/added.
• Change the header of the embedded files: this is also not sustainable, since this is work you need to do every time you import a new version.

This makes a lot of sense, and is not a use-case we had considered.

We'll be yanking the release later today, and re-tinker at the problem until we have a workable solution for this use-case. This may take a while, because most of us are volunteers.

Thank you for taking the time to explain your use-case so clearly!

[stephanlachnit]

Thanks for the fast response! If you need an example repo, here is ours: https://github.com/allpix-squared/allpix-squared

[carmenbianca]

I'm going to close this PR and refer further discussion to #779.

Thank you for your swift feedback, and sincere apologies for breaking your workflow for a few hours.