full REUSE compliance

Thanks to this tool I created especially for this purpose, I have been able to identify the exact provenance of all third party files included in Oniro (upstream repo, commit, path, branch(es)).

(Upon @mrybczyn 's suggestion, I also implemented the identification of possible upstream updates on such third party files, which can be useful to reflect such updates - especially security updates - in Oniro).

Results may be found in this csv report.

Based on such report, I created a .reuse/dep5 file to reach 100% REUSE compliance and to be able, as a consequence, to automatically generate SPDX SBoM for Oniro with REUSE tool (reuse spdx --output FILE).

Discussion points:

• @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons?
• @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved)
• @cpiana there are three corner cases of upstream commits that have been backported as patches; please check if what I put in the dep5 file, lines 138-164, makes sense

changed milestone to %goofy general availability

changed the description

requested review from @agherzan, @mrybczyn, and @cpiana

I've considered the question, I hope I have understood the issue correctly

approved this merge request

resolved all threads

added 1 commit

• 92c074dd - Apply Carlo's suggestion on comments about backported patches' copyright

Compare with previous version

changed the description

changed the description

I see how dep5 makes more sense for 3rd party. Besides allowing extra info, it also doesn't touch the upstream files (which is easier to handle when upgrading/dropping). For 1st party, file headers are what I prefer too. The exception is for patch files to avoid breaking the patch format or having to use workarounds in the patch's message.

added 1 commit

• 029e33c6 - move all 1st party license information from dep5 to .license files

Compare with previous version

added 1 commit

• 082ed3cb - update REUSE section of CONTRIBUTING.md

Compare with previous version

marked the checklist item @agherzan @mrybczyn for 3rd party files that have been cherrypicked from upstream, I would use dep5 instead of separate .license files because it allows to add comments to license and copyright information, which in our case is useful (see the discussion with Carlo, now resolved) as completed

marked the checklist item @agherzan @mrybczyn There are some first party files by Oniro WG members (Huawei and Kalpa, see at the end of the dep5 file) for which it would make more sense to add an SPDX header directly into the files themselves. Would that be possible for all files, or do patch files need to be left untouched for... reasons? as completed

@agherzan @cpiana

1. I moved all license information about first party files from dep5 to separate .license files (see 029e33c6
2. I updated CONTRIBUTING.md in order to reflect the updated policy about REUSE compliance (see 082ed3cb)

Please double-check 1 and review 2, thanks :)