jaybird icon indicating copy to clipboard operation
jaybird copied to clipboard

Published 20 hours ago verified publisher icon FirebirdSQL

Apply SPDX information to files

Open mrotteveel opened this issue 2 years ago • 4 comments

Currently the SPDX identifier of Jaybird is listed in README.md. Expand this to all files and the JAR itself.

Things to do (NOTE: this is not necessarily the order these operations should be performed):

  1. Replace current LGPL license notice in individual source files with

    Firebird Open Source JDBC Driver

    SPDX-License-Identifier: LGPL-2.1-or-later

    All individual contributions remain the Copyright (C) of those individuals. Contributors to this file can be obtained from a source control history command.

    All rights reserved.

    Note the removal of "This file was created by members of the firebird development team.", as this is not always true: some files are or were created by outside contributors.

    Before applying this change, double check if removing the current header is appropriate and allowed by their respective licenses, otherwise the SPDX identifier should be added to the current header, instead of the header replaced.

  2. Replace current BSD-3 clause license notice in individual source files with:

    Public Firebird Java API.

    SPDX-License-Identifier: BSD-3-Clause

    or, as we claim the intent is to dual-license these API interfaces/classes, but the current license header doesn't do that, check if we can do (as in, are we authorized to expand the license given those historic claims, or does the actual license prevail; taking into account historic authorship):

    Public Firebird Java API.

    SPDX-License-Identifier: LGPL-2.1-or-later OR BSD-3-Clause

    If this is appropriate, the global SPDX identifier becomes "LGPL-2.1-or-later OR LGPL-2.1-or-later AND BSD-3-Clause" instead of "LGPL-2.1-or-later AND BSD-3-Clause".

    Before applying this change, double check if removing the current header is appropriate and allowed by their respective licenses, otherwise the SPDX identifier should be added to the current header, instead of the header replaced.

  3. Replace or rename LICENSE with LICENSES/GPL-2.1-or-later.txt with the appropriate text (and make sure it is appropriately included in the JAR/dist-zip) (NOTE: Currently the directory is named licenses, and must be renamed to LICENSES)

  4. Add LICENSES/BSD-3-Clause.txt with the appropriate text (and make sure it is appropriately included in the JAR/dist-zip)

  5. Check how to handle some of the "separately" licensed files (only LegacyHash.java comes to mind right now, there might be more), and its effects on the SPDX identifier

  6. If point 2 or 5 changes the global identifier, update the README.md, and check if we also need to change information elsewhere (e.g. with Tidelift)

  7. Add Bundle-License: LGPL-2.1-or-later AND BSD-3-Clause to the JAR manifest (see also point 2 and 5, identifier may change)

  8. Maybe add a new LICENSE.txt or LICENSE file explaining licensing structure and referring to the individual license files

  9. Check if and how we can include the SPDX identifier in the POM and Gradle modules file generated by Gradle

  10. Create a JDP document detailing licensing and how to include the license information in individual files

mrotteveel avatar May 12 '23 14:05 mrotteveel

For reference:

  • https://spdx.dev/ids/#where
  • https://spdx.dev/
  • https://spdx.org/licenses/
  • https://reuse.software/spec/

mrotteveel avatar May 12 '23 14:05 mrotteveel

Given the requirements in the REUSE Specification, jaybird-icla.txt may need to be moved elsewhere, e.g. to devdoc.

mrotteveel avatar May 12 '23 15:05 mrotteveel

The REUSE Specification may require further changes to the headers than those listed right now under points 1 and 2, and may affect point 5. This needs to be investigated further.

mrotteveel avatar May 12 '23 15:05 mrotteveel

Deferring this until some future version.

mrotteveel avatar May 09 '24 12:05 mrotteveel