6
61
Fork
You've already forked reuse-tool
23

Akward Copyright parsing #1339

Open
opened 2026年02月22日 15:41:21 +01:00 by buhtz · 4 comments

Hello,
I am not sure if this is a bug, pointing to a problematic behavior or if it follows the specs.
It is somehow related to #536 and #1338.

I also know that I can use # REUSE IgnoreStart and # REUSE IgnoreEnd to workaround this issues.

Let me give you specific examples to illustrate the problem. I do use reuse lint --json to produce this output.

{
 "files": [
 {
 {
 "value": "Copyright : {copy}'",
 "source": "src/spdx2dep/__main__.py",
 "source_type": "file-header"
 },
 {
 "value": "Copyright (combinations) to sub keys",
 "source": "src/spdx2dep/__main__.py",
 "source_type": "file-header"
 },
 {
 "value": "SPDX-FileCopyrightText: ', '').strip()",
 "source": "src/spdx2dep/__main__.py",
 "source_type": "file-header"
 }
}}

That first value comes from this part of the code (3rd line).

 epilog = f'{logo_with_version()}\n\n Author : {author}' \
 f'\n Project : {prjurl}\nChangelog : {changelog}\n' \
 f' License : {gpl}\nCopyright : {copy}'

The second and third from this (1st and 5th line):

 # Copyright (combinations) to sub keys
 copyrights = []
 for cp in entry['copyrights']:
 copyrights.append(
 cp['value'].replace('SPDX-FileCopyrightText:', '').strip()
 )
 copyrights = '\n'.join(sorted(set(copyrights)))

I am in the middle of creating an SPDX to dep5 (debian/copyright) converter. 😄 https://codeberg.org/buhtz/spdx2dep

Just do be clear about what is problematic about this output

 "value": "Copyright : {copy}'",
 ^^^^^^^^^^
 "value": "Copyright (combinations) to sub keys",
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 "value": "SPDX-FileCopyrightText: ', '').strip()",
 ^^^^^^^^^^^^^^^

EDIT

I realize that reuse works much different then I thought. This is code in the middle of a python file:

 for idx, centry in enumerate(copyright):
 if not ('(c)' in centry or '©' in centry):
 copyright[idx] = f{copyright[idx]}'

But reuse lint --json shows me its source_type as file-header.

In the very first beginning I thought that reuse only would check comment lines in the beginning of a file.
And I think it should work that way. Read each line from the beginning of a file and stop at the first line that is not a comment. This would simplify things a lot.

For a project following SPDX there is no reason to put machine-readable license or copyright information int he middle of a file. It is in the header and nowhere else.

The situation is a bit frustrating. Sorry.

EDIT2

The primary question is what exactly does the SPDX and/or REUSE standard tells us?
Is it valid, in terms of the specs, to put the term "Copyright" somewhere in the middle of a file?

From the REUSE tutorial I learned to put those infos on top of the file only, and to use an SPDX field identifier, e.g. SPDX-FileCopyrightText. Because of that tutorial I do wonder that reuse behaves different.

Let me suggest some improvements:

First the json output should be more transparent.

 {
 "value": "Copyright (combinations) to sub keys",
 "source": "src/spdx2dep/__main__.py",
 "source_type": "file-header"
 },

This "value" does not come from the "file-header"! It should clearly state a) the line number it found that info and b) if it was a comment-line or not. The original full (raw) line would be useful to. This solution would help me (with "spdx2dep") decide which entry is useful and which is not.

Second: If there is no way to make reuse behave more strict by default, there could be an optional --strict mode, scanning only for SPDX-field-identifiers and doing this in the file header. File header is defined as all comment or empty lines from the beginning of file until the first line that is not a comment and not empty.

Regards,
Christian

Hello, I am not sure if this is a bug, pointing to a problematic behavior or if it follows the specs. It is somehow related to #536 and #1338. I also know that I can use `# REUSE IgnoreStart` and `# REUSE IgnoreEnd` to workaround this issues. Let me give you specific examples to illustrate the problem. I do use `reuse lint --json` to produce this output. ```json { "files": [ { { "value": "Copyright : {copy}'", "source": "src/spdx2dep/__main__.py", "source_type": "file-header" }, { "value": "Copyright (combinations) to sub keys", "source": "src/spdx2dep/__main__.py", "source_type": "file-header" }, { "value": "SPDX-FileCopyrightText: ', '').strip()", "source": "src/spdx2dep/__main__.py", "source_type": "file-header" } }} ``` That first `value` comes from this part of the code (3rd line). ```py epilog = f'{logo_with_version()}\n\n Author : {author}' \ f'\n Project : {prjurl}\nChangelog : {changelog}\n' \ f' License : {gpl}\nCopyright : {copy}' ``` The second and third from this (1st and 5th line): ```py # Copyright (combinations) to sub keys copyrights = [] for cp in entry['copyrights']: copyrights.append( cp['value'].replace('SPDX-FileCopyrightText:', '').strip() ) copyrights = '\n'.join(sorted(set(copyrights))) ``` I am in the middle of creating an SPDX to dep5 (debian/copyright) converter. 😄 https://codeberg.org/buhtz/spdx2dep Just do be clear about what is problematic about this output ``` "value": "Copyright : {copy}'", ^^^^^^^^^^ "value": "Copyright (combinations) to sub keys", ^^^^^^^^^^^^^^^^^^^^^^^^^^^ "value": "SPDX-FileCopyrightText: ', '').strip()", ^^^^^^^^^^^^^^^ ``` # EDIT I realize that `reuse` works much different then I thought. This is code in the middle of a python file: ```py for idx, centry in enumerate(copyright): if not ('(c)' in centry or '©' in centry): copyright[idx] = f'© {copyright[idx]}' ``` But `reuse lint --json` shows me its `source_type` as `file-header`. In the very first beginning I thought that `reuse` only would check comment lines in the beginning of a file. And I think it should work that way. Read each line from the beginning of a file and stop at the first line that is not a comment. This would simplify things a lot. For a project following SPDX there is no reason to put machine-readable license or copyright information int he middle of a file. It is in the header and nowhere else. The situation is a bit frustrating. Sorry. # EDIT2 The **primary question** is what exactly does the SPDX and/or REUSE standard tells us? Is it valid, in terms of the specs, to put the term "Copyright" somewhere in the middle of a file? From the REUSE tutorial I learned to put those infos on top of the file only, and to use an SPDX field identifier, e.g. `SPDX-FileCopyrightText`. Because of that tutorial I do wonder that `reuse` behaves different. Let me **suggest some improvements**: *First* the json output should be more transparent. ```json { "value": "Copyright (combinations) to sub keys", "source": "src/spdx2dep/__main__.py", "source_type": "file-header" }, ``` This "value" does not come from the "file-header"! It should clearly state a) the line number it found that info and b) if it was a comment-line or not. The original full (raw) line would be useful to. This solution would help me (with "spdx2dep") decide which entry is useful and which is not. *Second*: If there is no way to make `reuse` behave more strict by default, there could be an optional `--strict` mode, scanning only for SPDX-field-identifiers and doing this in the file header. File header is defined as all comment or empty lines from the beginning of file *until* the first line that is not a comment and not empty. Regards, Christian

#1336

It seems they suggest to use REUSE-IgnoreStart and REUSE-IgnoreEnd to make REUSE skip certain part of the code tho...

https://codeberg.org/fsfe/reuse-tool/issues/1336 It seems they suggest to use `REUSE-IgnoreStart` and `REUSE-IgnoreEnd` to make REUSE skip certain part of the code tho...
Author
Copy link

I do know about REUSE-IgnoreStart. But that is not a solution to this problem, because it is deeper. See my "EDIT2" comment.

I do know about `REUSE-IgnoreStart`. But that is not a solution to this problem, because it is deeper. See my "EDIT2" comment.

I agree with you and would prefer something closer to what you're describing. You're right that labeling everything as
file-header is misleading. If we want to limit copyright detection to what we consider an actual header, then we would need to change the REUSE spec as well, though because it allows copyright information anywhere in the file. And copyright detection turns out to be a bit naive in that respect which is why Carmen has been working on an overhaul of several aspects of it. I hope that this will fix some of the bugs/unfavorable behavior around this. Scanning more of the file is probably still necessary for snippet detection, but I can see something like --spdx-only.

As a short-term fix that hopefully doesn't interfere too much with Carmen's rework of the logic, I would say let's track match positions/line numbers and fix the SourceType and so on after clearing this with Carmen.

I agree with you and would prefer something closer to what you're describing. You're right that labeling everything as file-header is misleading. If we want to limit copyright detection to what we consider an actual header, then we would need to change the REUSE spec as well, though because it allows copyright information anywhere in the file. And copyright detection turns out to be a bit naive in that respect which is why Carmen has been working on an overhaul of several aspects of it. I hope that this will fix some of the bugs/unfavorable behavior around this. Scanning more of the file is probably still necessary for snippet detection, but I can see something like `--spdx-only`. As a short-term fix that hopefully doesn't interfere too much with Carmen's rework of the logic, I would say let's track match positions/line numbers and fix the `SourceType` and so on after clearing this with Carmen.
Author
Copy link

Hi Florian,
I apologize for my late reply. Thank you for your feedback.

Yes, I think that track line numbers and maybe fixing SourceType would help me a lot in context of https://codeberg.org/buhtz/spdx2debian.

Hi Florian, I apologize for my late reply. Thank you for your feedback. Yes, I think that track line numbers and maybe fixing SourceType would help me a lot in context of https://codeberg.org/buhtz/spdx2debian.
Sign in to join this conversation.
No Branch/Tag specified
main
janderssonse/fix/add-security-policy
mirror-codeberg
changelog-2.0.0-extend
readme-reuse-3.1
feature/debian-inspector
feature/dep5-error-handling
v6.2.0
v6.1.2
v6.1.1
v6.1.0
v6.0.0
v5.1.1
v5.1.0
v5.0.2
v5.0.1
v5.0.0
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.0a1
v3.0.2
v3.0.1
v3.0.0
v2.1.0
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.14.0
v0.13.0
v0.12.1
v0.12.0
v0.11.1
v0.11.0
v0.10.1
v0.10.0
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.1
v0.4.0
v0.4.0a1
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.0
v0.1.1
v0.1.0
v0.0.4
v0.0.3
v0.0.2
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
fsfe/reuse-tool#1339
Reference in a new issue
fsfe/reuse-tool
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?