Changes in the package.xml about licensing

ct2034 · June 27, 2023, 11:25am

tl;dr License declaration of ROS packages can be clearer and support automated linting and the creation of Debian copyright files.

In the last TSC meeting, a change to REP-149 was accepted. It allows for a precise declaration of multiple licenses per package.

The changes explained
It changes the license tag by adding two attributed: source-files and type. The source-files attributed uses a pattern based on a simplified shell glob syntax that defines which source files the license applies to. The type attribute specifies of what type the license identifier is. It can be either freeform (default) or spdx.

Motivation
There are multiple motivations for this change: It allows the automatic creation of a Debian copyright file. This is a file that Debian packages must have, but ROS packages were missing or used an incomplete subset so far. This information being readily available also makes it easier for users of the packages to create Software bills of material (SBOMs). But the changes also make it easier to check the provided license declaration automatically.

Tooling
I have created some tooling to enable the previously mentioned automatic checking of licenses and creation of copyright files. At the moment, the main functionality is the checking. Copyright file creation is currently only a POC. But the next step is to integrate it into bloom such that every ROS packages gets correctly created copyright files in the future.

For package maintainers
Please use the license linter to check your package. It already supports the new attributes. And consider defining the spdx type, which could become mandatory in the future. But, using a valid SPDX identifier will give already today additional features like checking if you provide the correct license text.

gavanderhoorn · June 27, 2023, 11:54am

The changes to REP-149 do not seem to include a discussion of potential alternatives which were considered, so I’m curious to know why this specific implementation was chosen over any others.

Having done something similar myself recently, could you say something about what made you use this approach?

ct2034 · June 27, 2023, 12:30pm

Sorry Gijs, but I am not sure what you are looking for. There is quite some discussion in the PR: https://github.com/ros-infrastructure/rep/pull/347. What implementation are you refering to?

And what are you currently working on in this field? Would be curious to learn more.

peci1 · June 27, 2023, 8:35pm

How does this change reflect in catkin and catkin_lint? Do these packages need an update to support the new attributes?

peci1 · July 3, 2023, 5:32pm

I’ll answer myself: the changes are incompatible with catkin:

catkin_pkg.package.InvalidPackage: Error(s) in package 'project/package.xml':
Error(s):
- The "license" tag must not have the following attributes: type

Shouldn’t such changes come with an increase of the package format version number?

ct2034 · July 3, 2023, 6:24pm

Hi Martin.
Thanks for your research. Yes, I think this needs an increase in the schema version. But I will look into this.
Cheers Christian