ADR-0012: All Files Shall Have a SPDX License Header

• Status: accepted
• Date: 2024-05-12
• Tags: legal, licensing, compliance

Context and Problem Statement

Licensing information not being embedded in source code and other project files may lead to confusion and legal risks. This could make software distribution and use challenging. To mitigate this, we have decided to include a SPDX license identifier at the top of every file.

This is the license header format that we will use:

/*
|    Protect your secrets, protect your sensitive data.
:    Explore VMware Secrets Manager docs at https://vsecm.com/
</
<>/  keep your secrets... secret
>/
<>/' Copyright 2023-present VMware Secrets Manager contributors.
>/'  SPDX-License-Identifier: BSD-2-Clause
*/

The comment block will change depending on the file type. For example, for a Go file, the comment block will be // instead of /* and */.

Decision Drivers

The decision to adopt SPDX license headers is driven by the need for clear, accessible, and unambiguous licensing information directly within the source files. This approach is supported by industry best practices for open-source compliance, particularly in environments where software is frequently audited or distributed across different legal jurisdictions. Adopting SPDX will also facilitate easier integration and reuse of external open-source components that are already using SPDX identifiers.

Considered Options

1. Standardize and clarify the licensing across all code files in our project.
2. Do not enforce a specific license header format.

Decision Outcome

Chosen option: “option 1”, because it ensures that all files in the project clearly state their licensing, reducing ambiguity and potential legal issues.

Positive Consequences

• Consistency in Licensing: All files will clearly state their licensing, reducing ambiguity and potential legal issues.
• Ease of Compliance Verification: Tools that recognize SPDX identifiers can automatically verify the compliance of all files with declared licenses, streamlining audits and compliance checks.

Negative Consequences

None.

ADRs

You can view the ADRs by browsing this following list:

• ADR-0001: Use Log4brains to manage the ADR
• ADR-0002: Use Markdown Architectural Decision Records
• ADR-0003: VSecM Will Be Scoped to Work on Kubernetes Only
• ADR-0004: Be Practically Secure
• ADR-0005: Be Resilient by Default
• ADR-0006: Be Secure by Default
• ADR-0007: Document All Public Methods
• ADR-0008: Have a Minimal and Intuitive API
• ADR-0009: Have at Least 50% Test Coverage Across the Project
• ADR-0010: Keep Non-Public Function in Separate Files from the Public Functions
• ADR-0011: Keep Things Minimal: Do One Thing Well
• ADR-0012: All Files Shall Have a SPDX License Header
• ADR-0013: Scan the Codebase for Vulnerabilities and Code Smells Regularly
• ADR-0014: Get OpenSSF Best Practices Compliance
• ADR-0015: Keep Source Code Line Length Around 80 Characters
• ADR-0016: Centralize Magic Words, Numbers, and Configuration Constants in Common Modules
• ADR-0017: VSecM OIDC Resource Server Shall Be Secure by Default“
• ADR-0018: Use Asciinema for Use Case Examples in the Documentation“

edit this page ✏️