 Hello everybody So I'm Linus. I'm gonna do we have a lot of time actually we have 45 minutes. I see the clock running down at 14, but it doesn't matter We I think we have quite some time and Depending on what your interests are as an audience. I thought You know how to structure this so I can I will show you briefly how to make one Example repository reuse compliant and then maybe can I get a quick show of hands from you who has a laptop with? nice and would they be willing to Get it out later and actually try something themselves Show of hands again Okay, that's pretty cool So then I think I will try to keep things short with the with the stuff that I'm showing and then We can Make sure that you install reuse on your machine and that you can actually start using it on One of your projects and then if you have any queries or any issues come up during that process We can we can troubleshoot them together So reuse is a reuse compliant free software project is recursive Like the canoe thing noo is not unix noo is not unix And you can contribute to it. I'm one of the maintainers We're always looking for for help And it's on github Currently once githi adds federation features, we will move it to to a free instance to a free forge So let's start one thing a very nice way to get started with this is to Actually, let's start with the very basics. Let's install it Reuse is in so many package repos. So it should be super simple for you to install it I think when more than 13 package repos I just checked today. So we are in arch debian fedora Nick Nick's packages, of course open suzer Ubuntu unfortunately 22 or 4 the current LTS is a bit is a bit older version But you can still use it for the purposes of this workshop But I actually prefer to install reuse with a tool called pip X so that's that kind of creates a virtual environment for every for every command line tool and I'm gonna just Install it right here Can everybody in the back see the text is that large enough? Yeah So now we have installed reuse the next thing just for The purposes of this presentation you could If you don't if you can't think of a project that you would like to make reuse compliant You can take the example repository that we provide And clone that I've now I've already cloned it. So let's just move move in there and Lina has already told you How you make a repo reuse compliant first choose your licenses and that's What we're what we're gonna do first. So there's a command with the reuse tool. It's called reuse in it And it will ask us. Hey, what license is your project under? Please provide the spdx license identifier if that sounds like I don't know what the spdx license identifier is You can we can interrupt this here at this point and we can type in reuse supported Licenses and we get a big list of all the licenses that are out there. This is like because my terminal is really big here But here we have all the licenses that you know and then you have the The spdx License identifier next to it. This looks much nicer if you actually a little bit smaller like this, but I'm gonna Leave it zoomed here. So let's for this for the purposes of this project Let's choose gpl gpl 3 I need to learn to type Or later Let's also use cco 1.0 Which is a license I like to use for kind of insignificant files like it get ignore files or Maybe if you're nothing special happens in your docker compose files, you can also I often license my docker compose files like that So that's it also at cc0 Maybe if you have pictures But you can you can always come back and add more licenses later. I show you how to do that And please if at any point something is unclear I want this to be interactive as much as possible being it being a stream and in this room. So And I think the cc0 license is a very short license that basically just puts it in a public domain Is it? Yeah, it's one. It's a very simple Terce license that just puts it in the public domain So what's the name of the project? It's called this reuse example here the internet address I'll plug our website here, which is reuse that software What's the name of the maintainer? let's just say it's the FSV and contact at FSV.org now it's Downloading those licenses and as Lina has shown it's put them in the licenses folder. So now if we Move over here and then we see we actually have the license text over here already Yes, this is where spdx comes in because they kind of keep a ledger of the licenses and the license text So if you go Reuse supported licenses again You have this link here for every license I'm just gonna choose anyone here And we open the browser where you have the text of the license and also the link in this case You're an archive link of where this where this comes from So this is the work that spdx does which is really cool and kind of like a foundation of reuse So where were we So now if we we can always run I mean when I'm making a real repo reuse compliant I kind of find myself repeatedly running reuse lint. It's kind of the core of the The thing that's also the command that you will use in your CI if you want to make sure that a repository remains reuse compliant or that Stuff is rejected if it isn't And so let's just run this here and see what it says So here we see okay, we have unused licenses Okay, this is already so this already tells me because The kind of the state of the status quo from from any projects was not so not ideal is that they just dumped the licenses file the licenses in the licenses file and then be done with it, but that's actually They're just reuse things. They're unused at this point and I think this is correct the reuse spec Tells us we have to like every file there needs to be some kind of information of what copyright Who's the copyright holder and what license it's licensed under? So and here the the linter tells us the following files have no copyright and licensing information and Then it lists all the files if you have a very large repo this will be very large output One of the upcoming features will be to have the output of this Lint command also machine readable if you pass a dash-dash Jason flag. Yes What what shall I do if I just have a Java project and I'm importing some random Java libraries How can I make this thing reuse compliant? Well, I think then you would have to see I mean reuse is primarily geared towards making your code Reuse compliant and if you're having external dependencies which have licensing issues then it's kind of their thing If you're actually reusing source code from these projects Then obviously you need to you like you make you need to make sure that the licensing information that they want you to Provide depending on what license they have is actually also in your code. It's yeah, maybe situation when And we only apply your reuse to our first party and everything Which is third party separated and if at all possible and if there is no reuse information we can upstream a pull request or emerge request for Making them compliant because you cannot add a copyright information to software, which is not yours. Exactly. That's never This isn't it do not add Corporate information if it's not already there by the author or by the copyright holder Does that answer your question somewhat? I mean, so also like don't use random Java libraries Yeah, let's say I'm I'm They are reuse compliant, but I want my My people to know well, we are using the MIT license So part of this project is licensed under MIT Apache whatever But you don't find the source code here in this project, but if you run it You will run this thing Yeah, what should I do now because everyone uses these libraries in Some way, yeah, even if it's only numpy, but then it's the licensing is their issue You know, then they would have to become reuse compliant and then you wouldn't have an issue anymore Because running is different than distributing. I guess that's the core here. I mean to be discussed You know, I mean, please create and like feel free to create an issue and I am in the reuse helper tool And you will get very thoughtful replies there by by people who have thought a lot about this But what I can that's what I can tell you now, I think okay, let's get it done. Yeah As to to chime in again Reuses for announcing your own corporate information others would to announce their own and of course It's good to know what what license is under The the the libraries you're using but it's the only thing you can do is to push the the mantra upstream and to open Issue and say why are not you reuse compliant? Well, it's yes, it's their decision. Yeah, you can present Dispossibility for having a machine readable License information readily available to others directly into the The rep was your own repository not their party's repository. That's not not your business It's you can only suggest exactly and I can I can put you contact with the person who wants to make rust reuse compliant Your face is a lot of those issues, you know If you if you're very interested So but let's continue here along this along this path. So So now we have reused lint we ran it and we see okay, like I'm not reused compliant That's that's very sad So let's let's start making let's start becoming reused compliant So for this we've built the the add header command And this allows you to specify on the command line What copyright holder and and what license a particular file should be licensed under And let's just see Let's just look at a file How it looks now. Let's let's take this very complicated C file here and Now it's let's run reuse add header Let's say we are John rather John though and we Also pass a flag the license flag and then we can just give it so let's say the read me is under GPL this source file that I was referencing main C and Then what else and our make file is also GPL So if you want that it tells us successfully change had a file make files or is main C and of read me So let's see what that actually did to to our C file it added it it figured out the correct syntax correct Common syntax for C and it added this correct file header Let me maybe briefly say one word about Why it's so important to have this in the header of the file rather than I mean I can understand It's much easier to just put a depth file file and just glob your entire project and say this is on this license It's much easier but There's a couple of big downsides with that approach and the main downside I think is when you move files around in your directory It they don't carry the license with them if you have different Paths which are which are then you need to remember I need to change this depth file and reuse will not be able to tell you about it Because it's just taking the information from the from the globbing in your depth 5 And so that's why I think we are heavily pushing in the spec for for file headers And also I think with the advent of top of tools like github co-pilot I mean this need for for licensing information to be present in the in the source file itself Where the code is it becomes even more apparent And okay, so so now let's run reuse Mm-hmm It would be okay. Thank you In your ad header command you specified the files. It's also possible to specify folders and and to add This information license for me or corporate information in all files in a determined folder. Thanks. So we happen So this is not staged this question I was gonna show something like that you can do globbing since this is a command line tool Like I'm using fish shell here. So your usage may vary a little bit on on other shells, but to show this maybe let's create Let's create some Python files here in a in a repository under the path Python This is just a small little function So I need to make dear Python first and then I can run this and now if I run tree again I see I have this folder called Python with a lot of Python files that all say print hello world Now if I wanted to make all these Python files reuse compliant I could go back here to my ad header command If again John Doe was the person who wrote these Python files and wants them to license under GPL Then I could just go Python and do a globbing like that and this will add There's also something maybe that I can point out at this point That we have the helper scripts Recently on the 1.0 release of reuse we added some helper scripts, which are really nice by one of our Supporters and maintainers he added this documentation. Thanks, Nico I think I find them really helpful and Yeah, this is also some like would be a great starting point if you if you're a more advanced user of Reuse to go to the documentation and then look at the helper scripts there So let's run reuse lint again to see what the the status here is so it's seven out of ten seven ten That's my birthday. How nice But we're still not we're still not compliant because there's three files left which aren't yet Properly cooperated so first let's Use this to get ignore file, but actually use the other license That I talked about earlier And use that for the get ignore if I can type Okay, and now it's only these two So let's take a look at the cat. Ah, okay. It's a binary file. So we don't some kind of JPEG So here we don't have it's not source code So we can't add a license and like Lena said now the next best option before globbin. Please don't globb It's nice Is to add the dot license file So so let's try doing that so So we again use the ad header command And now That's the correct license for us. Whoops. Sorry I'm just gonna okay CC Just I'm just using any license here that we haven't used let to show you how reuse handles that if we haven't downloaded the License yet, but we use it in one of our file headers so Let's just go with that and then we Everything in our images folder we want to do that and we see here. Ah, okay It tells us successfully change header of image cat license and if you take a look at one of those files It's basically yeah another file that was added to your repository that carries the licensing information and Is basically just carries the extension of the the file that you were licensing that you are licensing in the first place So let's run Rusland and Okay, we're not we're not compliant with reuse. Why? because we've used CC by 1.0 and we license files on it But we missed the license text in the repository and that's part of the reuse specification that the reuse license text needs to Be there so At this point we can we can just Okay, nice Reuses telling us so okay, this doesn't work Okay, so it's a nice ad skills here, so let's go into images Okay, we could we can just delete this and rerun the command with the with the correct License file Did tell me what other licenses there are Let's use that one nice. Okay I'm gonna copy now, so you don't have to bear with my bad typing and Okay, and Now it told us okay again, and now we actually Download this nice and that's check the output. Yes, we're really compliant Well, I mean Should be the standard, you know it should be standard Okay, so so where did we go from here? One thing would be to I mean obviously you need to to push this we have a lot of untracked stuff here, but One nice Component of the project is the reuse API. We all love badges don't we I mean develop I love badges when I'm done with the project to add the little badge So we have an API for that Do-do-do-do-do-do where you can register your project then we'll shoot you a quick email and Then we can actually do this for this repository, but because I saw that there was no Reuse example We didn't we don't have a batch here And I think I can actually push to this so maybe If the demo gods are with me we can we can we can add the batch here If it's not too too painful So and Here we don't need to add the HTTPS It will figure that out on its own. We can subscribe to the newsletter I'm already getting enough mails here at this point, and I'm probably writing this this information So I don't need to sign up Let's try this again so our registration is successful now we can Go into our email I didn't plan for this. Let's let's go tomorrow. I hope I'm not disclosing any private information here Maybe I shouldn't do that. Anyhow So I'll get an email which then will I Need to basically confirm that I'm that I've actually signed up for this And then it will tell me how I can add the batch to my repository and on each This batch will be always up-to-date It will take the latest hash from the latest commit in your repo and then make sure that that Then run reuse lint on it and then actually make sure that it's That it's that it's really compliant Okay Maybe I point out another Cool a few couple of cool resources. So one is the tutorial. We basically did this together now But there it's all explained again and in pretty verbose The frequently asked questions is really like I find myself looking in there quite a lot as well and obviously github issues get a pull request of the past if you actually want to become involved or Yeah, if you have a project that has interesting edge cases, let us know there are loads The helper scripts Yeah, any any more questions Any more questions Well There's a Lot of time left or I don't know how much time 20 minutes, so I mean you could it's already late. I know we have all had a little long day of conference Yes, please go ahead Yeah, I Forgot to push One file so it's I'm reuse non-compliant in the badge. How can I rerun the oh? Shall I rerun the the check for when I fix the the non-compliance? Yeah, I mean first fix the non-compliance, of course, and then it will I think on each It will it will just periodically check Should should Yeah You need to wait some is Stay tuned for some Radical improvements to the performance of this API It's currently a single threaded Sequential execution is not perfect. It's it's getting better bear with us Maybe up one one more thing since I have time and yeah, Lena What Yeah, I mean, I'm thinking maybe you could show us a little bit about this pre-commit hook Which is super cool. I was I was So yeah, you can you can you can actually so So we're compliant here. So let's use a pre-commit hook to make sure that before every commit we are We use lint is run and if it exits with a zero exit code then Then we can't commit So that's that's cool. If you really want to enforce reuse compliance so For this we need to add a file here. I think it's it's also It's in the It's in here The pre-commit hook if I'm not yes So and we need to call it pre commit Config.yaml Yes, don't need language server for this file Okay, so we added this and And now we need to install and Okay Now let's push some stuff So let's track this or let's commit rather And now the the commit hook runs and runs So why did it fail exactly? So yes, we added a new file which which misses the header. So let's get out here Actually again, I would go with cc0 here And Let's see let's stage this and try to commit again. Ah, nice. We can commit. Okay. What do I have to add I just Made my thing reuse compliant. Could you just say what files need to add To my project so I can add this each time my I am committing ah Yeah So That's not we don't have we haven't Let me phrase it like this. So we have so far Haven't implemented a lot of automation features where you could like so for example, you could think about a you just a reuse config you know where you put your name and your your license that you want to publish things under and then Just run that every time you you add a new file There's one command that I can show you that I sometimes use when I'm working with a with a grizz project. It's basically Yeah, you basically just using the power of the shell here so Let's first create a new file Okay, good enough. We use lint. Okay. We're not compliant again and now we can reuse add header And you can you can alias that to whatever you want what I'm going to type now So it's basically this Let me go through So basically it's so here's a print format which is a function in fish, but there's similar like you can just do string interpolation in bash Or command substitution rather for the for the same effect So basically take my username in and substitute it here and then take my and get configured user email and put it here and Add the license that I want to add I could also put that in an environment variable if I wanted to for example and then here I'm actually This gives me all the files that are staged But only the names of the path of the files that are staged and then I can also pass because this is a txt file That I just staged it won't know which particular style I Because txt can be can you print anything? So I'm just saying, okay, like do a python style Let's run this arguments are required so it didn't work Because I didn't Didn't stage it and now this should Yeah, and now it successfully changed the header off and when you run a commit then You're reusing checks whether everything is fine. That's that that works done by the pre-commit hook Yeah before before I commit I can't commit basically until like now in this setup I won't be able to commit if anything if there's anything Wrong if the repo isn't real it's compliant. I won't be able to commit With this hook so only the only thing the things that are staged That's how pre-commit works. Yeah, it only takes the it only considers the things that are staged. That's good And if I think yeah look into the documentation of pre-commit. It's pretty cool And it's very helpful for this kind of for this kind of task I mean you won't be able to push anything to the repo which isn't staged before it. So yeah, thanks Have you ever thought about I've ever thought about Machine readable output for the linter because first of all for larger for large projects So maybe some automation would be needed when a lot of files are added and so you can yes I'm trying to make some time next week Okay, no, no, it's on it's definitely on the roadmap. Okay. It's a kind of Jason file or exactly Yeah, we are imagining something like this Jason and then it gives you a nice Jason with with a version So I can create a script to automate Exactly. Yeah, and then basically give you this kind of license. We we already have this as PDX command Which gives you I know that yeah an S like a Bill of materials software both materials in spdx format That's cool and reuse lint will give you we're trying to like progressively add this kind of dash-dash Jason to to the entire tool so that every command will also be Easily like the output of every command will be easily machine readable so that you can plug it into your Infrastructure and yeah as you see fit we think right like that's on the roadmap and it's coming soon Yeah Is there a merge request or something or just not yet? No, it but it shouldn't be like I mean trademark Shouldn't be too hard. We need that in our project. So maybe we we could just Don't make some suggestions or yeah, we can we can accept like I'll stick around and we can exchange. Yeah, it's always always cool Any other questions, yeah, I think this is more for the lawyers, but we we have a few here so If how much will a lawyer trust the spdx IDs added in source code as opposed to like Doing performing a source code scan Would you need to do both or can can we fully trust the spdx spdx IDs? Yeah, okay Sorry in it depends After the laughter, I will basically tend to trust the reuse because the The user has made an effort There are cases where in licensing information are inconsistent and this is a problem and I think that but Doing a scan The traditional way, I mean By scanning the licensing text and if it's consistent okay, no problem if it's inconsistent then we have problem Of course depending on so on how many of these five years I mean, it's a problem of also resources and but yeah in in theory You shouldn't you should trust licensing information only if it's consistent if it's If it's a reuse complaint, it should be consistent because Otherwise, but yeah, you never know So if you have a double confirmation, that's double sure if you have a inconsistency It's you have a hell of a problem and and you need the only way to solve it It's to upstream the issue to the the software holder because they are the only one who can of course you can Risk and say I trust this more or it tries that more But at the end of the day you you're sure and uncertainty kills you For instance if you use for Sology you have this checker you have the the reuse agent that can Apply a decision if the reuse of finding Kind of doesn't conflict with any other finding of licensed scanners But you can have corner cases, but because for instance in Linux kernel We found a lot of BSD license file, but the spdx tag Told was Gpl2 and that that is basically correct because the outbound license is gpl2 and the inbound license bsd. Okay Depends, but but again, we didn't flag that as a mistake because that there is I mean Of course, it's a corner case. Yeah, there is no way of saying, okay This file was be it was bsd, but in this context is re-licensed and under gpl Yeah, and yeah, but and also just maybe to frame the scope again of this of the CLI tool It's to make it easier to conform with the reuse back nothing not more So it's also a little bit the scope is just limited, you know and the other tools for other parts of the of the chain Yeah, or maybe when we have pizza we can we can discuss this in more detail