Skip to content

Audit third-party license compliance and REUSE metadata #314

Description

@aroviqen

Goal

Audit whether third-party licenses and existing REUSE/SPDX metadata are correctly represented in this repository.

This is deliberately separate from the SecPal attribution-terms issue. The attribution issue should only add LicenseRef-SecPal-Attribution to AGPL-covered SecPal-owned code/assets; this issue should verify that existing third-party and non-AGPL licensing is correct.

Scope

  • Review npm/package dependencies and their licenses.
  • Review Android/Gradle dependencies and their licenses.
  • Verify whether dependency licenses require attribution, notice files, bundled license texts, source offer handling, or other distribution obligations.
  • Verify whether project files currently marked CC0-1.0, MIT, Apache-2.0, AGPL-3.0-or-later, generated, Android wrapper/Gradle-specific, or custom LicenseRef-* entries are correctly classified.
  • Verify that Android resources/assets and generated Capacitor files have appropriate licensing metadata.
  • Verify that no third-party copyright notice has been replaced with SecPal Contributors.
  • Verify whether LICENSES/ contains all required license texts for REUSE compliance.
  • Run reuse lint after any metadata changes.

Important distinction

Do not use this audit to relicense third-party code or dependency code.

Implementation rule:

  • Third-party code/notices remain under their original licenses.
  • SecPal-owned AGPL code/assets can be adjusted separately in Add SecPal attribution terms to AGPL licensing #313.
  • Non-AGPL project metadata should stay non-AGPL unless intentionally reviewed and changed.
  • No Tailwind-specific terms should be introduced unless Tailwind-derived material is actually present.

Suggested checks

  • Review REUSE.toml annotations and per-file SPDX headers.
  • Review LICENSES/ contents against all SPDX identifiers and LicenseRef-* identifiers used in the repo.
  • Generate/review an npm dependency license inventory.
  • Generate/review a Gradle/Android dependency license inventory.
  • Check for copied/adapted third-party source snippets outside package-manager dependencies.
  • Confirm Android wrapper/Gradle file licensing remains correct.
  • Confirm generated Capacitor asset metadata remains correct.
  • Document findings and remediation steps.

Acceptance criteria

  • Third-party dependency licenses are inventoried.
  • REUSE/SPDX metadata is consistent with actual file origin and licensing.
  • Required license texts are present under LICENSES/.
  • Third-party notices are preserved.
  • Any remediation is split into focused follow-up issues or PRs.
  • reuse lint passes after changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    💡 Ideas

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions