tl;dr License declaration of ROS packages can be clearer and support automated linting and the creation of Debian copyright files.
In the last TSC meeting, a change to REP-149 was accepted. It allows for a precise declaration of multiple licenses per package.
The changes explained
It changes the license tag by adding two attributed: source-files
and type
. The source-files
attributed uses a pattern based on a simplified shell glob syntax that defines which source files the license applies to. The type
attribute specifies of what type the license identifier is. It can be either freeform
(default) or spdx
.
Motivation
There are multiple motivations for this change: It allows the automatic creation of a Debian copyright file. This is a file that Debian packages must have, but ROS packages were missing or used an incomplete subset so far. This information being readily available also makes it easier for users of the packages to create Software bills of material (SBOMs). But the changes also make it easier to check the provided license declaration automatically.
Tooling
I have created some tooling to enable the previously mentioned automatic checking of licenses and creation of copyright files. At the moment, the main functionality is the checking. Copyright file creation is currently only a POC. But the next step is to integrate it into bloom such that every ROS packages gets correctly created copyright files in the future.
For package maintainers
Please use the license linter to check your package. It already supports the new attributes. And consider defining the spdx type, which could become mandatory in the future. But, using a valid SPDX identifier will give already today additional features like checking if you provide the correct license text.