Licensing in Qt's modules: Difference between revisions
| Line 7: | Line 7: | ||
There must be at least one line for copyright and one line for the license. It is possible to have | There must be at least one line for copyright and one line for the license. It is possible to have | ||
multiple copyright lines but there can only be one line for the license. The license must be | multiple copyright lines but there can only be one line for the license. The license must be | ||
documented using SPDX tag and [https://spdx.dev/learn/handling-license-info/ License Id]. | documented using a SPDX tag and [https://spdx.dev/learn/handling-license-info/ License Id]. | ||
A license that is not part of the SPDX license list can be documented using ''LicenseRef-'' followed by the | A license that is not part of the SPDX license list can be documented using ''LicenseRef-'' followed by the | ||
Id of your choice. The license Ids must be linked together with a separator: ''WITH'', ''AND'', ''OR''. | Id of your choice. The license Ids must be linked together with a separator: ''WITH'', ''AND'', ''OR''. | ||
Revision as of 18:18, 3 February 2025
This page provides an overview of how we document copyright and license within the Qt modules and how this information is used.
Where is licensing documented?
In file using SPDX tags
When possible the copyright and license are documented using a license header. There must be at least one line for copyright and one line for the license. It is possible to have multiple copyright lines but there can only be one line for the license. The license must be documented using a SPDX tag and License Id. A license that is not part of the SPDX license list can be documented using LicenseRef- followed by the Id of your choice. The license Ids must be linked together with a separator: WITH, AND, OR.
# Copyright (C) 2022 The Qt Company Ltd.
# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
In three types of external files
REUSE.toml
The REUSE.toml files are used to document the copyright and licensing that cannot be documented in-file or because the in-file license corresponds to an other file for generation or documentation purpose.
The REUSE.toml files, together with the in-file licensing information are read by reuse to check for reuse compliance and generate the source SBOM
Please refer to REUSE.toml full documentation. Below an example of how a REUSE.toml looks like
version = 1
[[annotations]]
path = ["<path1>",
"<folder1/**>",
"<folder2/*>"]
precedence = "override"
comment = "test"
SPDX-FileCopyrightText = "Copyright (C) 2024 The Qt Company Ltd."
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"
[[annotations]]
path = "<path2>"
precedence = "closest"
comment = "test"
SPDX-FileCopyrightText = ["Copyright (C) 2024 The Qt Company Ltd.",
"Copyright (C) 2023 someone else"]
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"
[[annotations]]
path = "<path3>"
precedence = "aggregate"
comment = "test"
SPDX-FileCopyrightText = "Copyright (C) 2024 The Qt Company Ltd."
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"
The REUSE.toml file always starts with version. Each annotation represent a license and copyright assignment.
About the path :
- it determines where the annotation applies.
- it can be a list.
- exception is not part of its syntax.
- ** means everything in and down this folder
- * means everything in the folder.
For a given file, licensing can be present in file and in multiple REUSE.toml files. precedence tells reuse which licensing is to be used. There are three possibilities
- closest : the in file licensing will be used if available, if not the corresponding annotation within the REUSE.toml file closest to the file is used.
- aggregate : all available licensing corresponding to a given file (in file, multiple REUSE file) is collected.
- override : only the licensing in the REUSE.toml file closer to the base of the module is used. In case of
a precedence set to override the licensing in file or in a REUSE.toml file down the module is ignored.
SPDX-FileCopyrightText and SPDX-License-Identifier are self explanatory and can also contain a list. Any other entry can be added for documentation purpose, like comment for example.
licenseRule.json
There is only one licenseRule.json file per Qt's module. This file lists the rules that are expected to be followed in terms of licensing for this module. It enforces the QUIP18 rules and offers the possibility to add exceptions. The file's format is presented in the patch introducing the file, for example for qtbase.
This file is read by qtqa license test tst_license.pl to check the licensing and the source SBOM.
qt_attribution.json
qt_attribution.json files document information related to the 3rd components of the module (see QUIP4).
The licensing information there is read by qt_attributionscanner to provide the 3rd party licensing information in the Qt documentation.
License files
License files corresponding to SDPX license tag or within a used REUSE.toml annotation must be found in the LICENSES directory at the base of the module. An unused license file present in LICENSES directory breaks reuse compliance.
License file corresponding to a license ID documented only in a qt_attribution.json file should be placed next to the qt_attribution.json file and be named LICENSE.Id.json
License files should be in LICENSES directory or have a LICENSE. prefix, this way they are ignored by reuse tool.
Where is license used?
reuse tool
The reuse tool reads in-file SPDX tags and copyright as well as REUSE.toml files for reuse compliance and source SBOM generation.
To be reuse compliant a module must provide licensing information for all files present in this module with few exceptions, typically .gitignore, files within LICENSES directory and LICENCE. prefixed files.
The source SBOM is a SPDX document providing copyright and licensing information for all files in the module, with the same exceptions as for reuse compliance.
qtqa license test: tst_licenses.pl
license check mode
In license check mode, tst_licenses.pl reads copyright and SPDX tag in the header of files and check what has been found against our rules in licenseRule.json In this test the checking was not made compulsory for every file so a lot of them are skipped.
To run a license check on a module, from qtqa run:
QT_MODULE_TO_TEST=../<module_name> perl tests/prebuild/license/tst_licenses.pl
source sbom check mode
In source SBOM check mode, tst_licenses.pl reads the source SBOM generated by reuse. It checks the license ID against the rules set in licenseRule.json
To create a source SBOM run:
reuse spdx -o <module_source_SBOM>
from the base of the module.
To check the generated source SBOM, run:
QT_MODULE_TO_TEST=<path_to_module> perl <path_to_qtqa>/tests/prebuild/license/tst_licenses.pl -sbom <module_source_SBOM> -sbomonly
At the moment the check is skipping files down the 3rdparty directories.
qattributionscanner
This reads the qattribution.json files to provide the licensing for Qt documentation page
qattribution scanner is looking for the license files documented in the qt_attribution.json. It searches for the <LicenseID>.txt files withing the LICENSES directory or for LICENSE.<LicenseID>.txt next to the qt_attribution.json file. The use of LicenseFile within the qt_attribtion.json file is discouraged and will soon be deprecated.
Useful links
QUIP18: The licensing specification in Qt's modules.
QUIP04: Third party components.
SBOM: Qt Software Bill of Materials (build SBOM).
SPDX Id: the official SPDX license Id.
source SBOM: the other type of Qt Software Bill of Materials.
reuse tool: all you need to know.
REUSE.toml: the other way to document licensing.