Partial SPDX detection lead to failing lint in 2.0

[mrdrogdrog]

Hello,

we tried to update reuse to 2.0 but it fails when linting our files and we assume that the snippet detection is the culprit.

Following situation:
Our repository contains a file for JetBrains IDEs so it can automatically renew/add a copyright to source files.

<component name="CopyrightManager">
  <copyright>
    <option name="notice" value="SPDX-FileCopyrightText: $today.year The HedgeDoc developers (see AUTHORS file)&#10;&#10;&#83;PDX-License-Identifier: AGPL-3.0-only" />
    <option name="myName" value="hedgedoc" />
  </copyright>
</component>

To make the linter happy we have a rule in our dep5 file that applies to this file:

Files: .idea/**
Copyright: 2021 The HedgeDoc developers (see AUTHORS file)
License: CC0-1.0

Now here comes the problem:

Reuse 2 scans this file, finds the SPDX snippet and assues another license.

reuse.project - WARNING - Copyright and licensing information for '.idea/copyright/hedgedoc.xml' have been found in '.idea/copyright/hedgedoc.xml' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

Which results in a failure:

The following files have no licensing information:
* .idea/copyright/hedgedoc.xml

Is there any way to deactivate the snippet detection? Or to exclude files?

[mrdrogdrog]

This is not the only file that is failing:

reuse.project - WARNING - Copyright and licensing information for 'docs/content/legal/developer-certificate-of-origin.txt' have been found in 'docs/content/legal/developer-certificate-of-origin.txt' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

[...]

The following licenses are not used:
* LicenseRef-DCO


# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* .idea/copyright/hedgedoc.xml
* docs/content/legal/developer-certificate-of-origin.txt

file content:

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

dep5:

Files: docs/content/legal/developer-certificate-of-origin.txt
Copyright: 2004, 2006 The Linux Foundation and its contributors.
License: LicenseRef-DCO

[mrdrogdrog]

Using a .license file also doesn't help

reuse.project - WARNING - Copyright and licensing information for '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs' have been found in '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

[linozen]

Hey @mrdrogdrog,

We anticipated that the (now defined and enforced) order of precedence will cause some problems but internally came to the conclusion that it's still needed (hence the new major version).

Using a .license file also doesn't help

The warning should persist in this case but REUSE compliance should again be achieved. Is that not the case? What is the exit of this command when you use the .license file?

reuse.project - WARNING - Copyright and licensing information for '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs' have been found in '.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.

The warning is there just to make sure that the user is aware that there are multiple sources of information but only one is used.

[mrdrogdrog]

Creating .license files worked.

So it seems like the hierarchy is

• .license files
• header
• snippet detection
• dep5 file

It would be nice if you would add a mention to the README about this. :)

[mxmehl]

May I ask what you mean by "snippet detection"? A snippet should be treated the same way as a comment on the file header AFAIK.

[mrdrogdrog]

Oh sure. I'm not sure if it's the right term. I mean the partial detection of license information.
I stumbled over this term when reading the changelog of the reuse 2 release and it got stuck in my head.
Please correct me if i'm using it wrong.

[carmenbianca]

This change is documented in two places, but may need to be documented in more.

Currently:

• https://reuse.software/spec
• The change log (edit: Actually, we could be more explicit and verbose here as well.)

Future:

• Somewhere else in this repository, probably. README? The Sphinx docs?

[sebix]

I honor the effort which went into the new features, but I also thinkt that the new behaviour is not intuitive.
As of now, files which are excluded via dep5 (e.g. debian/*), are checked by snippet detection and give an error (e.g. debian/changelog).

I suggest that files which are explicitly excluded in dep5 are treated as excluded and should not raise errors.
Here you can find such a run: https://github.com/certtools/intelmq/actions/runs/5333484167/jobs/9664008913

reuse.project - WARNING - Copyright and licensing information for 'docs/_static/n6/data-flow.png' have been found in 'docs/_static/n6/data-flow.png.license' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
reuse.project - WARNING - Copyright and licensing information for 'contrib/logcheck/README.md' have been found in 'contrib/logcheck/README.md' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
reuse.project - WARNING - Copyright and licensing information for 'debian/copyright' have been found in 'debian/copyright' and the DEP5 file located at '.reuse/dep5'. The information in the DEP5 file has been overridden. Please ensure that this is correct.
# MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:
* debian/copyright

[carmenbianca]

I will close this issue and refer to #779. The above use-case mentioned by @sebix is covered in the linked issue, and we will have a solution for that while also defining a clear order of precedence.

Thanks for the swift responses, and apologies for the few hours of broken workflow.

[mrdrogdrog]

Thanks for taking care so quickly ❤️