Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
reuse is a tool for compliance with the REUSE recommendations.
Copyright and licensing is difficult, especially when reusing software from different projects that are released under various different licenses. REUSE was started by the Free Software Foundation Europe (FSFE) to provide a set of recommendations to make licensing your Free Software projects easier. Not only do these recommendations make it easier for you to declare the licenses under which your works are released, but they also make it easier for a computer to understand how your project is licensed.
As a short summary, the recommendations are threefold:
You are recommended to read our tutorial for a step-by-step guide through these three steps. The FAQ covers basic questions about licensing, copyright, and more complex use cases. Advanced users and integrators will find the full specification helpful.
This tool exists to facilitate the developer in complying with the above recommendations.
There are other tools that have a lot more features and functionality surrounding the analysis and inspection of copyright and licenses in software projects. The REUSE helper tool, on the other hand, is solely designed to be a simple tool to assist in compliance with the REUSE recommendations.
There are packages available for easy install on many operating systems. You are welcome to help us package this tool for more distributions!
An automatically generated list can be found at repology.org, without any guarantee for completeness.
The following one-liner both installs and runs this tool from PyPI via pipx:
pipx run reuse lint
pipx automatically isolates reuse into its own Python virtualenv, which means that it won't interfere with other Python packages, and other Python packages won't interfere with it.
If you want to be able to use reuse without prepending it with pipx run
every
time, install it globally like so:
pipx install reuse
reuse will then be available in ~/.local/bin
, which must be added to your
$PATH
.
After this, make sure that ~/.local/bin
is in your $PATH
. On Windows, the
required path for your environment may look like
%USERPROFILE%\AppData\Roaming\Python\Python39\Scripts
, depending on the Python
version you have installed.
To upgrade reuse, run this command:
pipx upgrade reuse
For full functionality, the following pieces of software are recommended:
To install reuse into ~/.local/bin
, run:
pip3 install --user reuse
Subsequently, make sure that ~/.local/bin
is in your $PATH
like described in
the previous section.
To upgrade reuse, run this command:
pip3 install --user --upgrade reuse
You can also install this tool from the source code, but we recommend the methods above for easier and more stable updates. Please make sure the requirements for the installation via pip are present on your machine.
pip install .
First, read the REUSE tutorial. In a nutshell:
LICENSES/
directory.SPDX-License-Identifier: GPL-3.0-or-later
, and
SPDX-FileCopyrightText: $YEAR $NAME
. You can be flexible with the format,
just make sure that the line starts with SPDX-FileCopyrightText:
.Example of header:
# SPDX-FileCopyrightText: 2017 Free Software Foundation Europe e.V. <https://fsfe.org>
#
# SPDX-License-Identifier: CC-BY-SA-4.0
To check against the recommendations, use reuse lint
:
~/Projects/reuse-tool $ reuse lint
[...]
Congratulations! Your project is compliant with version 3.3 of the REUSE Specification :-)
This tool can do various more things, detailed in the documentation. Here a short summary:
annotate
--- Add copyright and/or licensing information to the header of a
file.download
--- Download the specified license into the LICENSES/
directory.lint
--- Verify the project for REUSE compliance.lint-file
--- Verify REUSE compliance of individual files.spdx
--- Generate an SPDX Document of all files in the project.supported-licenses
--- Prints all licenses supported by REUSE.convert-dep5
--- Convert .reuse/dep5 to REUSE.toml.In this screencast, we are going to follow the tutorial, making the REUSE example repository compliant.
The fsfe/reuse
Docker image is available on
Docker Hub. With it, you can easily
include REUSE in CI/CD processes. This way, you can check for REUSE compliance
for each build. In our resources for developers
you can learn how to integrate the REUSE tool in Drone, Travis, GitHub, or
GitLab CI.
You can run the helper tool simply by providing the command you want to run
(e.g., lint
, spdx
). The image's working directory is /data
by default. So
if you want to lint a project that is in your current working directory, you can
mount it on the container's /data
directory, and tell the tool to lint. That
looks a little like this:
docker run --rm --volume $(pwd):/data fsfe/reuse lint
You can also provide additional arguments, like so:
docker run --rm --volume $(pwd):/data fsfe/reuse --include-submodules spdx -o out.spdx
The available tags are:
latest
--- the most recent release of reuse.{major}
--- the latest major release.{major}.{minor}
--- the latest minor release.{major}.{minor}.{patch}
--- a precise release.You can add -debian
to any of the tags to get a Debian-based instead of an
Alpine-based image, which is larger, but may be better suited for license
compliance.
You can automatically run reuse lint
on every commit as a pre-commit hook for
Git. This uses pre-commit. Once you
have it installed, add this to the
.pre-commit-config.yaml
in your repository:
repos:
- repo: https://github.com/fsfe/reuse-tool
rev: v5.0.2
hooks:
- id: reuse
Then run pre-commit install
. Now, every time you commit, reuse lint
is run
in the background, and will prevent your commit from going through if there was
an error.
If you instead want to only lint files that were changed in your commit, you can use the following configuration:
repos:
- repo: https://github.com/fsfe/reuse-tool
rev: v5.0.2
hooks:
- id: reuse-lint-file
In order to enable shell completion, you need to generate the shell completion
script. You do this with _REUSE_COMPLETE=bash_source reuse
. Replace bash
with zsh
or fish
as needed, or any other shells supported by the Python
click
library. You can then source the output in your shell rc file, like so
(e.g.~/.bashrc
):
eval "$(_REUSE__COMPLETE=bash_source reuse)"
Alternatively, you can place the generated completion script in
${XDG_DATA_HOME}/bash-completion/completions/reuse
.
If you're interested in contributing to the reuse project, there are several ways to get involved. Development of the project takes place on GitHub at https://github.com/fsfe/reuse-tool. There, you can submit bug reports, feature requests, and pull requests. Even and especially when in doubt, feel free to open an issue with a question. Contributions of all types are welcome, and the development team is happy to provide guidance and support for new contributors.
You should exercise some caution when opening a pull request to make changes which were not (yet) acknowledged by the team as pertinent. Such pull requests may be closed, leading to disappointment. To avoid this, please open an issue first.
Additionally, the reuse@lists.fsfe.org mailing list is available for discussion and support related to the project.
You can find the full contribution guidelines at https://reuse.readthedocs.io/en/latest/contribute.html.
This work is licensed under multiple licences. Because keeping this section up-to-date is challenging, here is a brief summary as of April 2024:
For more accurate information, check the individual files.
FAQs
reuse is a tool for compliance with the REUSE recommendations.
We found that reuse demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.