Simply how licenses are applied to your project with SPDX and reuse

Posted on 2025-06-22 in Programmation

SPDX (Software Package Data Exchange) is a project managed by the Linux foundation created to standardize how licenses are identified in a human and machine readable way. In a nutshell, instead of adding a big header to your files to identify the applicable license, you apply a copyright text and a license identifier. For a Python file under the GPL, instead of this:

{{ project }}
Copyright (C) {{ year }}  {{ organization }}

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.

It would give this:

# SPDX-FileCopyrightText: {{ year }} {{ organization }}
#
# SPDX-License-Identifier: GPL-3.0-or-later

It’s shorter and more readable (at least in my opinion). And a script can easily read this header and compile a list of all used licenses and to each file they apply.

You can go to the list of licenses to find the identifier and text of the licenses you want to use. Apparently, these identifiers have been around for several years (at least 2021) and are already used by big projects like KDE, Qt or Fedora. I personally only learned about them earlier this year and dug into the subject this month.

So far, I thought is was interesting, but wouldn’t impact my projects too much: I’d only have to switch one header for another. That’s until I learned about the REUSE tool by the FSFE in Fedora magazine. The goal of this tool is to help you choose licenses, download their full text and add the proper header to your files. For files that cannot have a license header, it can create a <FILE_NAME>.license file or define the license in a REUSE.toml file. Once this is done, it can enforce that all your files have a license.

It’s easy to setup (including in pre-commit hooks) and comes with a nice tutorial and FAQ to help you get started. The catch is that it can be a bit time consuming to enforce at first to find the proper licenses to apply to each file. Luckily, it can add headers to multiple files at the same time. This tool is used by KDE, Linux, Nextcloud and Curl!

In my case, I used it in one of my GNU AGLP licensed project. It contained many files of different types, some with a proper AGPL header, some without. And others were copy/pasted from the internet and thus the AGPL with my name in the copyright didn’t apply. So I had to review for each file what to do and apply the header with the proper copyright text in bulk of files. At least, now it’s done and files I don’t have the copyright on but I can use in my project (because they are published on a free software license like MIT) are clearly identified.

I wandered whether I should use only the SPDX-FileCopyrightText and SPDX-License-Identifier in the header or keep the full GNU AGPL copyright statement. According to the GNU AGLP full text, this header is only a strong suggestion to help readers identify the license of the file. So nothing mandatory on that side and I think the SPDX-License-Identifier fills that role too even if it’s less clear since it doesn’t give any explanation nor explicitly state the absence of warranty. After looking a bit in the Qt, KDE and REUSE repositories, which all use some variants of the GNU GLP licenses, I saw only the SPDX identifier and not the classical headers, I guess it’s fine. It’s also much better than most programs under non GLP licenses which tend to have no header at all! I also searched the internet for this but couldn’t find anything useful. If you have more information and this, please let me know in the comments below.

Some interesting articles I found on this subject: