I think it's fair to say that Forgejo is proud to have a copyleft license, https://forgejo.org/2024-08-gpl/. Therefore I would like to explore how to assert license and copyright attribution even better in Forgejo's codebase (and possibly other Forgejo projects).
Forgejo's codebase is quite a mix of copyright attributions and licenses. There are files and code that originate from Gogs and have not been touched since (Gogs author), we have a significant amount of code from Gitea (Gitea author), and our own code that could have been licensed under MIT or GPL-3.0-or-later (Forgejo authors). There are also a handful of files that have copyright attribution to individuals (either because we incorporated their code from somewhere or introduced it via Forgejo because we don't require Forgejo authors as copyright attribution) or organizations (the soft-quota feature that Codeberg paid for). And the entire Forgejo binary is licensed under GPL-3.0-or-later.
The de facto unwritten, not checked, and unenforced way to document this is via copyright headers, using the standardized SPDX header to specify the license and "// Copyright YYYY The XXXX Authors. All rights reserved." to document attribution. However, there are many files in the codebase that do not have such a line, because they are either test data, binaries, or simply never done. I would say that in the vast majority of cases, attribution and licenses are clear if you do the extra work of using git blame, but this should not be necessary and the lines could become blurred if files have been modified between projects and/or after Forgejo has allowed GPL-3.0 or later as a license.
One way to solve this is by using https://reuse.software/. This would require all files to have a license and copyright notice, and for files where this is not possible, it can be defined in a REUSE.toml or as a /path/to/file.license file. This project includes a lint tool that will act as an enforcer that we adhere to documenting the copyrights and licenses for each file in the codebase. It even allows snippets within a file to be licensed differently.
It will be quite an operation to make Forgejo's codebase compliant with any tool/specification for documenting copyright and licenses for each file, so I suggest that when we can decide on a tool/specification, we start with one of Forgejo's other projects that is smaller in scope, such as https://code.forgejo.org/ forgejo/runner or https://codeberg.org/forgejo/docs (which generally already has good documentation).
I would like to know the following:
- Do you agree that documenting licenses and copyright attribution in a standardized way has advantages and should be pursued for code developed by the Forgejo project?
- What alternatives are there for documenting this?
- Are there any reservations about using REUSE for this purpose?
I think it's fair to say that Forgejo is proud to have a copyleft license, https://forgejo.org/2024-08-gpl/. Therefore I would like to explore how to assert license and copyright attribution even better in Forgejo's codebase (and possibly other Forgejo projects).
Forgejo's codebase is quite a mix of copyright attributions and licenses. There are files and code that originate from Gogs and have not been touched since (Gogs author), we have a significant amount of code from Gitea (Gitea author), and our own code that could have been licensed under MIT or GPL-3.0-or-later (Forgejo authors). There are also a handful of files that have copyright attribution to individuals (either because we incorporated their code from somewhere or introduced it via Forgejo because we don't require Forgejo authors as copyright attribution) or organizations (the soft-quota feature that Codeberg paid for). And the entire Forgejo binary is licensed under GPL-3.0-or-later.
The de facto unwritten, not checked, and unenforced way to document this is via copyright headers, using the standardized SPDX header to specify the license and "// Copyright YYYY The XXXX Authors. All rights reserved." to document attribution. However, there are many files in the codebase that do not have such a line, because they are either test data, binaries, or simply never done. I would say that in the vast majority of cases, attribution and licenses are clear if you do the extra work of using git blame, but this should not be necessary and the lines could become blurred if files have been modified between projects and/or after Forgejo has allowed GPL-3.0 or later as a license.
One way to solve this is by using https://reuse.software/. This would require all files to have a license and copyright notice, and for files where this is not possible, it can be defined in a `REUSE.toml` or as a `/path/to/file.license` file. This project includes a lint tool that will act as an enforcer that we adhere to documenting the copyrights and licenses for each file in the codebase. It even allows snippets within a file to be licensed differently.
It will be quite an operation to make Forgejo's codebase compliant with any tool/specification for documenting copyright and licenses for each file, so I suggest that when we can decide on a tool/specification, we start with one of Forgejo's other projects that is smaller in scope, such as https://code.forgejo.org/ forgejo/runner or https://codeberg.org/forgejo/docs (which generally already has good documentation).
I would like to know the following:
- Do you agree that documenting licenses and copyright attribution in a standardized way has advantages and should be pursued for code developed by the Forgejo project?
- What alternatives are there for documenting this?
- Are there any reservations about using REUSE for this purpose?