Licensing in Qt's modules: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
Line 80: Line 80:


====qt_attribution.json====
====qt_attribution.json====
[https://contribute.qt-project.org/quips/7 ''qt_attribution.json''] files document information related to the 3rd party components of the module (see [https://contribute.qt-project.org/quips/4 QUIP4]).
[https://contribute.qt-project.org/quips/7 ''qt_attribution.json''] files document information related to the third party components of the module (see [https://contribute.qt-project.org/quips/4 QUIP4]).


The licensing information there is read by qattributionscanner to provide the 3rd party licensing information in the Qt documentation.
The licensing information there is read by qattributionscanner to provide the third party licensing information in the Qt documentation.


==License files==
==License files==

Revision as of 11:30, 4 February 2025

This page provides an overview of how we document copyright and license within the Qt modules and how this information is used.

Where is licensing documented?

In-file using, SPDX tags

When possible the copyright and license are documented using a license header.

There must be at least one line for copyright and one line for the license. It is possible to have multiple copyright lines but there can only be one line for the license.

The license must be documented using a SPDX tag and License Id. A license that is not part of the SPDX license list can be documented using LicenseRef- followed by the Id of your choice.

The license Ids must be linked together with a separator: WITH, AND, OR.

License header example: 

# Copyright (C) 2022 The Qt Company Ltd.
# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0

In three types of external files

REUSE.toml

The REUSE.toml files are used to document the copyright and licensing that cannot be documented in-file or because the in-file license corresponds to an other file for generation or documentation purpose.

The REUSE.toml files, together with the in-file licensing information are read by the reuse tool to check for reuse compliance and generate the source SBOM.

Please refer to REUSE.toml full documentation. Below an example of how a REUSE.toml looks like. 

version = 1

[[annotations]]
path = ["<path1>",
        "<folder1/**>",
        "<folder2/*>"]
precedence = "override"
comment = "test"
SPDX-FileCopyrightText = "Copyright (C) 2024 The Qt Company Ltd."
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"

[[annotations]]
path = "<path2>"
precedence = "closest"
comment = "test"
SPDX-FileCopyrightText = ["Copyright (C) 2024 The Qt Company Ltd.",
                          "Copyright (C) 2023 someone else"]
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"

[[annotations]]
path = "<path3>"
precedence = "aggregate"
comment = "test"
SPDX-FileCopyrightText = "Copyright (C) 2024 The Qt Company Ltd."
SPDX-License-Identifier = "LicenseRef-Qt-Commercial OR GPL-3.0-only"

A REUSE.toml file always starts with version. Each annotation represents a license and copyright assignment.

About the path:

  • it determines where the annotation applies
  • it can be a list
  • exception is not part of its syntax
  • * means everything in the folder
  • ** means everything in and down this folder

For a given file, licensing can be present in-file and in multiple REUSE.toml files. A precedence rule is set using precedence field, it can be:

  • closest - the in-file licensing will be used if available, if not the corresponding annotation within the REUSE.toml file closest to the file is used.
  • aggregate - all available licensing corresponding to a given file (in-file, REUSE.toml files) is collected.
  • override - only the licensing in the REUSE.toml file closer to the base of the module is used. In case of a precedence set to override the licensing in-file or in a REUSE.toml file down the module is ignored.

SPDX-FileCopyrightText and SPDX-License-Identifier are self explanatory. They can contain a list.

Any other entry can be added for documentation purpose, like comment for example.

licenseRule.json

There is only one licenseRule.json file per Qt's module. This file lists the licensing rule for this module. It enforces the QUIP18 rule set and offers the possibility to add exceptions. The file's format is presented in the patch introducing it, for example for qtbase.

This file is read by qtqa license test tst_license.pl to check the in-file licensing and the source SBOM.

qt_attribution.json

qt_attribution.json files document information related to the third party components of the module (see QUIP4).

The licensing information there is read by qattributionscanner to provide the third party licensing information in the Qt documentation.

License files

License files corresponding to SDPX license tag or within a used REUSE.toml annotation must be found in the LICENSES directory at the base of the module. The license file name must be <Id>.txt.

An unused license file present in LICENSES directory breaks reuse compliance.

License file corresponding to a license Id documented only in a qt_attribution.json file should be placed next to the qt_attribution.json file and be named LICENSE.Id.json

License files must be in LICENSES directory or have a LICENSE. prefix to ignored by the reuse tool.

Where is license used?

reuse tool

The reuse tool reads in-file SPDX tags and copyright as well as REUSE.toml files for reuse compliance and source SBOM generation.

To be reuse compliant a module must provide licensing information for all files present in this module with few exceptions, typically .gitignore, files within LICENSES directory and LICENCE. prefixed files.

The source SBOM is a SPDX document providing copyright and licensing information for all files in the module, with the same exceptions as for reuse compliance.

qtqa license test: tst_licenses.pl

License check mode

In license check mode, tst_licenses.pl reads copyright and SPDX tag in the file's license header and checks what has been found against our rule set in licenseRule.json. In this test the checking was not made compulsory for every file.

To run a license check on a module, run: 

QT_MODULE_TO_TEST=<path_to_module> perl <path_to_qtqa>/tests/prebuild/license/tst_licenses.pl

Source SBOM check mode

In source SBOM check mode, tst_licenses.pl reads the source SBOM generated by the reuse tool. It checks the license ID against our rule set in licenseRule.json.

To create a source SBOM run: 

reuse spdx -o <module_source_SBOM>

from the base of the module.

To check the generated source SBOM, run: 

QT_MODULE_TO_TEST=<path_to_module> perl <path_to_qtqa>/tests/prebuild/license/tst_licenses.pl -sbom <module_source_SBOM> -sbomonly

At the moment the check is skipping files down the 3rdparty directories.

qattributionscanner

This reads the qt_attribution.json files to provide the licensing for Qt documentation pages.

qattributionscanner is looking for the license files documented in the qt_attribution.json. It searches for the <LicenseID>.txt files withing the LICENSES directory or for LICENSE.<LicenseID>.txt next to the qt_attribution.json file. The use of LicenseFile within qt_attribtion.json is discouraged and will soon be deprecated.

Useful links

QUIP18: The licensing specification in Qt's modules.

QUIP04: Third party components.

SBOM: Qt Software Bill of Materials (build SBOM).

SPDX Id: the official SPDX license Id.

source SBOM: the other type of Qt Software Bill of Materials.

reuse tool: all you need to know about the reuse tool.

REUSE.toml: the other way to document licensing.

Retrieved from "https://wiki.qt.io/index.php?title=Licensing_in_Qt%27s_modules&oldid=43801"