diff options
Diffstat (limited to 'quip-0007.rst')
| -rw-r--r-- | quip-0007.rst | 63 |
1 files changed, 56 insertions, 7 deletions
diff --git a/quip-0007.rst b/quip-0007.rst index 36104d1..b583e60 100644 --- a/quip-0007.rst +++ b/quip-0007.rst @@ -4,12 +4,16 @@ Author: Kai Köhne Status: Active Type: Implementation Created: 2017-02-15 -Post-History: https://lists.qt-project.org/pipermail/development/2017-March/029198.html +Post-History: + https://lists.qt-project.org/pipermail/development/2017-March/029198.html + https://lists.qt-project.org/pipermail/development/2023-February/043639.html + https://lists.qt-project.org/pipermail/development/2023-February/043667.html + https://lists.qt-project.org/pipermail/development/2023-September/044431.html Overview ======== -From Qt 5.8, Qt modules document their 3rd party code in qt_attribution.json +Qt modules document their 3rd party code in qt_attribution.json files. The format is JSON-based and can be processed with the qtattributionscanner tool. @@ -41,9 +45,15 @@ QtUsage (e.g. by using configure options), and what functionality is missing in this case. Mandatory. +SecurityCritical + Boolean attribute indicating whether the 3rd party code is security critical + - that is, if it is part of code paths that process untrusted code, or is + otherwise critical for security purposes. Optional, default is "false". Path - (Relative) path to the sources. Default is same directory as the file. - Optional. + (Relative) path to the source directory. Default is same directory as the + file. Optional. +Files + Array of paths to the source files, relative to Path. Optional. Description A short description of what the component is and is used for. Optional. Homepage @@ -53,7 +63,13 @@ Version or commit hash from a version control system. Optional. DownloadLocation - Link to exact upstream version. Optional. + Link to exact upstream version. Optional, unless SecurityCritical is + set to "true". +Comment + An arbitrary JSON object, for use by those maintaining third-party + components, to leave notes to those doing future updates. JSON + explicitly allows a name to be used repeatedly so separate comments + can be placed alongside any fields to which they may be relevant. License The license under which the component is distributed, preferably with the names from SPDX [1]_ 'Full Name'. Mandatory. @@ -61,9 +77,14 @@ LicenseId SPDX License Identifier [1]_, or an SPDX Expression [2]_. Optional. LicenseFile Relative path to file containing the license text. Optional for code in the - Public Domain, otherwise needed. + Public Domain. Required for code outside of the public domain if neither + LicenseFiles nor LicenseId are set. +LicenseFiles + Array of relative file paths containing the license texts. Optional for code + in the Public Domain. Required for code outside of the public domain if + neither LicenseFile nor LicenseId are set. Copyright - Aggregated list of copyright lines. Mandatory. + Copyright lines. String or (since Qt 6.5) string array are accepted. Mandatory. The list can be edited for brevity by, for example, combining different copyright years for the same author. Terms like "All rights reserved" can be @@ -79,6 +100,33 @@ Copyright is also acceptable. +Specification of License Files +------------------------------ + +There are two ways of specifying license files for 3rd-party code. + +Using SPDX License Identifiers +`````````````````````````````` + +For licenses that can be expressed with a valid SPDX license expression [1]_, +the corresponding license texts can be placed in +``LICENSES/<SPDX_IDENTIFIER>.txt`` files. The *LicenseId* property is required +in this case. + +*LicenseFiles* and *LicenseFile* are not required. + +A ``LICENSES/<SPDX_IDENTIFIER>.txt`` file can be created using the reuse +tool [6]_ by running:: + + pip install reuse + reuse download <SPDX_IDENTIFIER> + +Directly specifying the license file path +````````````````````````````````````````` + +With *LicenseFiles* or *LicenseFile* one can specify a list or just one license +file. The *LicenseId* property is optional in this case. + Related Work ============ @@ -121,3 +169,4 @@ References .. [3] https://spdx.org/specifications .. [4] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ .. [5] https://src.chromium.org/viewvc/chrome/trunk/src/third_party/README.chromium.template +.. [6] https://github.com/fsfe/reuse-tool |