mbox series

[0/3] scripts: mandate use of SPDX-License-Identifier tags in new files

Message ID 20241007154548.1144961-1-berrange@redhat.com (mailing list archive)
Headers show
Series scripts: mandate use of SPDX-License-Identifier tags in new files | expand

Message

Daniel P. Berrangé Oct. 7, 2024, 3:45 p.m. UTC
One of the items raised at the QEMU maintainers meeting at KVM Forum
2024 was adoption of SPDX-License-Identifier for licensing of newly
contributed source files, for which there were no dissenting voices.

Thus, to bring the proposal to the wider community, here is a series
illustrating a way to put the decision into action by extending
checkpatch.pl to mandate SPDX-License-Identifier in all new files.

Furthermore, anytime it sees SPDX-License-Identifier in any patch,
whether a new file or pre-existing, it validates the declared license
name. If it is not one of the commonly used QEMU licenses (the GPL
variants, MIT, & a few BSD variants), it will report an error. To
encourage sticking with GPL-2.0-or-later by default, it will issue
a warning even if it is one of the common licenses, encouraging
the contributor to double check their choice. This should reduce
(usually accidental) license proliferation in QEMU code.

Finally, I've seen a few other random SPDX tags such as:

  * SPDX-FileCopyrightText  - replacing "Copyright ..."
  * SPDX-FileContributor - replacing "Authors: ..."
  * SPDX-URL - a link to the link license text
  * SPDX-sourceInfo - arbitrary free form text about the file

These may or may not be worth considering in QEMU, but this series
discourages their usage by raising an error in checkpatch for now.

If we feel we want to adopt any of these, I think it should be
through a concious decision applied universally. Inconsistent &
adhoc usage of other SPDX tags by a subset of contributors feels
like it doesn't seem to give a clear win, and could even be a
net loss through making practices inconsistent across the code.

Daniel P. Berrangé (3):
  scripts: mandate that new files have SPDX-License-Identifier
  scripts: validate SPDX license choices
  scripts: forbid use of arbitrary SPDX tags besides license identifiers

 scripts/checkpatch.pl | 104 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)

Comments

Peter Maydell Oct. 7, 2024, 3:56 p.m. UTC | #1
On Mon, 7 Oct 2024 at 16:46, Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> One of the items raised at the QEMU maintainers meeting at KVM Forum
> 2024 was adoption of SPDX-License-Identifier for licensing of newly
> contributed source files, for which there were no dissenting voices.
>
> Thus, to bring the proposal to the wider community, here is a series
> illustrating a way to put the decision into action by extending
> checkpatch.pl to mandate SPDX-License-Identifier in all new files.
>
> Furthermore, anytime it sees SPDX-License-Identifier in any patch,
> whether a new file or pre-existing, it validates the declared license
> name. If it is not one of the commonly used QEMU licenses (the GPL
> variants, MIT, & a few BSD variants), it will report an error. To
> encourage sticking with GPL-2.0-or-later by default, it will issue
> a warning even if it is one of the common licenses, encouraging
> the contributor to double check their choice. This should reduce
> (usually accidental) license proliferation in QEMU code.

For the record, I am in favour of this because it will
(hopefully) catch some of the typically accidental issues
like "user refers to a non-existent license or a license
that's probably not what they meant like LGPLv2" or
"user forgets to say 'or later' for GPL code" or
"user forgets to put in license comment at all" or
"user uses a license that is GPL-compatible but which
we don't use at all at the moment, with no strong reason
why they couldn't use some license we do already use"
(to list some which have come up this year). These are
trivially easy to fix if we can do it before commit when
the author is still around to clarify, and potentially a
real pain to try to fix after the fact, especially if multiple
people have subsequently contributed to the file. We often do
already catch this kind of mistake in code review, but having
the checkpatch check should reduce the human-error factor.

(Conversely, I don't see much benefit to the project in trying
to retrofit SPDX tags to already existing source files, though
I am not in principle opposed to that.)

thanks
-- PMM