An Introduction to REUSE for Free Software License Compliance

Content for this article was provided by the Free Software Foundation Europe and is reprinted here with permission.

Copyright and licensing can be difficult, especially when reusing software from different projects that are released under various, different licenses. REUSE was started by the Free Software Foundation Europe (FSFE) to provide a set of recommendations to make licensing your Free Software projects easier. Not only do these recommendations make it easier for you to declare the licenses under which your works are released, but they also make it easier for a computer to understand how your project is licensed.

The license of your project sets the terms under which others can reuse your software. That is why you should make sure that it is clear for everyone which parts of your software are under which license. The REUSE software tool safeguards your intentions and assists you in this process. 

The REUSE specification defines a standardized method for declaring copyright and licensing for software projects. The goal of the specification is to have unambiguous, human- and machine-readable copyright and licensing information for each individual file in a project. Ideally, this information is embedded into every file, so that the information is preserved when the file is copied and reused by third parties.

Licensing Made Easy

Licensing should be easy for developers. REUSE provides several tools and services to help developers ensure proper and exhaustive licensing of their project, including: 

• The REUSE helper tool, which assists with achieving and confirming REUSE compliance. It downloads the full license texts, adds copyright and license information to file headers, and contains a linter to identify problems. Eventually, you can generate a software bill of materials.
• The REUSE API, which helps you to continuously check and display compliance with the REUSE guidelines. You can include a badge indicating the live status in your README file, and parse the output using the generated JSON file.
• CI/CD integration. REUSE can be easily integrated into your existing CI/CD processes to continuously test your repository and its changes for REUSE compliance. For example, the FSFE offers a Docker image, which can be used in numerous CI solutions.

A REUSE-compliant project also makes the jobs of legal experts and compliance officers much easier, and creating a software bill of materials (SBOM) can be achieved with just one simple command. 

Organizations and projects that have already adopted REUSE include KDE, along with the majority of projects that are part of the EU-funded Next Generation Internet. Additionally, more than 850 projects have registered with the REUSE API.

Using REUSE

Free Software lets you build on top of the work of others and therefore innovate quickly. But the more external components you use, the harder it is to maintain an overview of copyright holders and their licensing choices. With REUSE, each file holds the necessary information, and your repo transparently contains all used licenses.

Making your project REUSE-compliant can be done in three simple steps:

• Choose and provide licenses.
• Add copyright and license information to each file.
• Confirm REUSE compliance.

This tutorial explains the basic methods of how to make a software project REUSE-compliant. By the end of this tutorial, all your files will clearly have their copyright and licensing marked, and you will be able to verify this using the REUSE helper tool.

Refer to the full documentation for further information.

Other Tools

There are many tools to aid you in license compliance for software, many using databases and fuzzy heuristics. REUSE does not intend to replace, but rather to complement, other compliance tools. Check out the following list for information on a few of these valuable tools.

• SPDX is the rock upon which REUSE is built. SPDX defines a standardized way to share copyright and licensing information between projects and people. SPDX also maintains the SPDX License List, which defines standardized identifiers for a lot of licenses.
• ClearlyDefined collects and displays meta and security information about a large number of projects distributed on different package registries. It also motivates developers and curators to extend data about a project’s licensing and copyright situation. 
• OpenChain focuses on making Free Software license compliance more transparent, predictable, and understandable for participants in the software supply chain. OpenChain recommends REUSE as one component to increase clarity of the licensing and copyright situation but has higher requirements to achieve full conformance.
• FOSSology is a toolkit for Free Software compliance that stores information in a database and includes license, copyright, and export scanners. It is more complex than REUSE and its helper tool and rather optimized for compliance officers and lawyers. 

You can learn more about REUSE and other open source initiatives at the FSFE website.