[Feature] add spdx licensing headers to code that is potentially committed to MY repo #7040
Description
- I'd be willing to implement this feature (contributing guide) (if you tell me where the code lives, assuming something isn't stripping comments)
- This feature is important to have in this repository; a contrib plugin wouldn't do
I'm not certain this is the only right repository...
Describe the user story
As a developer, I need to comply with the software licensing terms. This means that I need to know the license of every piece of software in my repository. Currently, yarn is requesting that I commit unlicensed, uncopyrighted files to my repo that were not created by me.
Additionally, in an age of AI, I need to ensure that every file in my repo is licensed, because the AI will not distinguish them as anything other than individual files. I can also say concretely that I've seen developers download others' files and remove copyright statements, so a file with no copyright statement is even more likely to be affected. Especially since they might assume that every file in my repo is covered by my stated GPL license, even though I suspect it's distributed under the BSD license.
To ensure every file of mine has a copyright, I use lint-staged to apply reuse on every commit. Unfortunatley due to limitations in both reuse and lintstaged this file is adding inappropriate copyright statements to a "js" project
Lastly, reuse requires that every file has a copyright/license (no matter how ludicrous), so even if lint-staged weren't applying it to files, it shouldn't; I would still have to declare one, or reuse lint will fail compliance.
# SPDX-FileCopyrightText: Copyright © 2024-2026 Caleb Cushing
#
# SPDX-License-Identifier: CC0-1.0
# Software
"*.ts":
- "reuse annotate --license 'GPL-3.0-or-later' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights"
- &prettier "prettier --cache --ignore-unknown --write"
"package.json":
- "reuse annotate --license 'MIT' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights --force-dot-license"
- *prettier
"Makefile":
- "reuse annotate --license 'MIT' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights"
"{.config/git/hooks/*,*.sh}":
- "reuse annotate --license 'MIT' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights --style python"
- *prettier
# Documentation
"(*.md|*.adoc)":
- "reuse annotate --license 'CC-BY-NC-4.0' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights"
- *prettier
# Trivial files
"(*.xml|*.yml|*.yaml|*ignore|*.properties|*.toml|*.json5|*.js|.editorconfig|.gitattributes|.mailmap)":
- "reuse annotate --license 'CC0-1.0' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights"
- *prettier
"!(package).json":
- "reuse annotate --license 'CC0-1.0' --copyright 'Caleb Cushing' --copyright-prefix spdx-string-symbol --merge-copyrights --force-dot-license"
- *prettierDescribe the solution you'd like
I would like every file that is requested to be committed to my repo to have an appropriate spdx license headers. Please consider also that "the authors" is ambiguous in my repo, as it implies my commiters are the authors, rather than pointing back at yarn.
This is what reuse added to the tsc.js that was generated by yarn dlx @yarnpkg/sdks base. So, in reality I just need it to inject the correct copyright/license statements in spdx format (this) such that reuse lint will successfully enforce compliance even after I fix my lint-staged/reuse application problem.
#!/usr/bin/env node
// SPDX-FileCopyrightText: Copyright © 2026 Caleb Cushing
//
// SPDX-License-Identifier: CC0-1.0Describe the drawbacks of your solution
probably that you don't have your own copyright license flow set up, and so maintaing the year is hard. Also Only have an "the authors" is kind of insufficient due to copying into my repo. For that I would suggest reading this SPDX documentation and if the SPDX-FileCopyrightText isn't where you want to add the project then reading this section and adding the package location would be the right move (I think).
#!/usr/bin/env node
// SPDX-FileCopyrightText: Copyright © 2026 Caleb Cushing
//
// SPDX-License-Identifier: CC0-1.0
//
// SPDX-PackageDownloadLocation: https://github.com/yarnpkg/berryDescribe alternatives you've considered
This can't be a plugin because each file could have different copyright holders and licenses, and in fact, a plugin that adds files would need to maintain its own license. The only alternative I have is to add to REUSE.toml and you can see why this is a problem; I don't actually know if this is true for all files in that path, and I imagine it absolutely is not with a zero install, which has its own complexity that I don't really expect you can resolve. I would expect the best answer there is to pattern match the binaries and put something suggesting the copyright is contained within, although that doesn't work for the license... (honestly this a REUSE/SPDX issue in that case).
[[annotations]]
path = ".yarn/**"
SPDX-FileCopyrightText = "Copyright (c) 2016-present, Yarn Contributors. All rights reserved."
SPDX-License-Identifier = "BSD-2-Clause"