License Compliance & Management

Version: 1.0.0
Last Updated: 2026-01-14
Applies To: All Structum packages and contributions

Overview

Structum is licensed under the Apache License 2.0. This document explains our licensing strategy, contributor policies, and compliance procedures.

1. Project License

Apache License 2.0

Key Permissions:

  • ✅ Commercial use

  • ✅ Modification

  • ✅ Distribution

  • ✅ Patent grant

Key Conditions:

  • 📄 License and copyright notice

  • 📄 State changes

  • 📄 Provide attribution (NOTICE file)

  • 📄 Same license for derivative works

Full Text: See LICENSE file in repository root.

Standard Header Template

All source files (.py, .toml, .yaml, etc.) MUST include:

# SPDX-FileCopyrightText: 2026 Your Name <your.email@example.com>
# SPDX-License-Identifier: Apache-2.0

Multi-Contributor Model: Each contributor retains copyright of their work.

New Files

When creating new files, add your own copyright:

# SPDX-FileCopyrightText: 2026 Mario Rossi <mario@example.com>
# SPDX-License-Identifier: Apache-2.0

Modifying Existing Files

  • Small changes (< 10 lines): Keep existing headers unchanged

  • Substantial contributions (refactors, new features): Add your copyright line

# SPDX-FileCopyrightText: 2026 PythonWoods Team
# SPDX-FileCopyrightText: 2026 Mario Rossi <mario@example.com>
# SPDX-License-Identifier: Apache-2.0

Why Multi-Contributor Model?

  1. Transparency: Clear attribution in every file

  2. No Barriers: No CLA required - easier to contribute

  3. Standard Practice: Common for Apache-2.0 projects

  4. REUSE Compliance: Machine-readable copyright information

3. Contributor Responsibilities

By Contributing, You Certify

  1. Originality: The contribution is your original work

  2. License Grant: You grant it under Apache-2.0

  3. Patent Grant: Apache-2.0 includes patent grant automatically

  4. Legal Authority: You have the right to submit this contribution

No CLA Required

Structum does NOT require a Contributor License Agreement (CLA).

  • You retain copyright of your contributions

  • Your work is distributed under Apache-2.0 (same as the project)

  • Standard for open-source projects

4. Third-Party Dependencies

Allowed Licenses

Structum (Apache-2.0) can use dependencies under these licenses:

License

Compatible?

Notes

MIT

✅ Yes

Highly permissive

BSD (2/3-Clause)

✅ Yes

Highly permissive

Apache-2.0

✅ Yes

Same license

LGPL-3.0

✅ Yes

Only for libraries (not forks)

ISC

✅ Yes

Similar to MIT

GPL-2.0/3.0

❌ No

Copyleft - would infect Structum

Proprietary

❌ No

Not open-source

Adding New Dependencies

Checklist:

  1. [ ] Verify license is compatible (see table above)

  2. [ ] Add to NOTICE file with:

    • Package name & URL

    • Copyright holder

    • License type

  3. [ ] Add attribution to relevant package README

  4. [ ] Run structum license deps-check to verify

5. REUSE Compliance

What is REUSE?

REUSE is a specification for declaring copyright and licensing in a machine-readable way.

Structum’s REUSE Strategy

Components:

  1. SPDX Headers: In all source files

  2. .reuse/dep5: Bulk license declarations for non-code files

  3. NOTICE: Human-readable attribution

  4. LICENSE: Full license text

Verification

# Check compliance
structum license check

# Or manually
uv run reuse lint

Goal: 100% REUSE compliance (all files have clear licensing)

6. File-Specific Policies

Python Source Files

# SPDX-FileCopyrightText: 2026 PythonWoods Team
# SPDX-License-Identifier: Apache-2.0

\"\"\"Module docstring here.\"\"\"

Configuration Files (TOML/YAML)

# SPDX-FileCopyrightText: 2026 PythonWoods Team
# SPDX-License-Identifier: Apache-2.0

[project]
name = "structum"

Markdown Documentation

No SPDX header needed - covered by .reuse/dep5:

Files: docs/* *.md
Copyright: 2026 PythonWoods Team
License: Apache-2.0

Auto-Generated Files

Covered by .reuse/dep5:

Files: **/__pycache__/* dist/* build/*
Copyright: 2026 PythonWoods Team
License: Apache-2.0

7. CLI Tools for License Management

Check Compliance

structum license check

Runs reuse lint and reports any non-compliant files.

Add SPDX Headers

# Single file
structum license add-header path/to/file.py

# All missing files
structum license add-headers

Automatically adds standard SPDX header.

Audit Dependencies

structum license deps-check

Scans all dependencies and reports:

  • License types

  • Compatibility with Apache-2.0

  • Missing licenses

8. Contribution Workflow

For Contributors

  1. Write code with proper SPDX headers (your copyright)

  2. Run checks: structum check && structum license check

  3. Submit PR

  4. CI verifies REUSE compliance

  5. Merge after code review and approval

For Maintainers

  1. Check structum license check passes

  2. Verify SPDX headers are correct

  3. Review no proprietary dependencies added

  4. Merge if compliant and code quality is good

9. Recognition Policy

How Contributors Are Recognized

Not via SPDX headers
Via these methods ✅:

  1. CONTRIBUTORS.md: Listed alphabetically

  2. Git History: Permanent record

  3. Release Notes: Major contributions highlighted

  4. About Page (future): Community page on website

Example CONTRIBUTORS.md Entry

## Contributors

- **John Doe** - Authentication system refactor (#123)
- **Jane Smith** - Database plugin performance improvements (#456)

10. Frequently Asked Questions

Q: Should I put my name in the SPDX header?

A: YES! For new files, use your own copyright. For substantial edits to existing files, add your copyright line.

Q: Can I use my contribution elsewhere?

A: Yes! You retain full copyright. Apache-2.0 is permissive and non-exclusive.

Q: What if I find a file without SPDX header?

A: Run structum license add-header <file> or report it as an issue.

Q: What counts as a “substantial contribution”?

A: Refactors, new features, or changes > 10 lines. Bug fixes < 10 lines don’t require adding your copyright.

Q: What about files I only slightly modified?

A: Keep the original SPDX headers unchanged:

# SPDX-FileCopyrightText: 2026 PythonWoods Team  # ← Keep this
# SPDX-License-Identifier: Apache-2.0

11. Enforcement

Pre-Commit Checks

CI pipeline runs:

structum license check

Result: PR fails if any file lacks proper licensing.

Remediation

If non-compliant:

  1. Run structum license add-headers

  2. Commit fixes

  3. Re-run CI

12. Updates to This Policy

Amendment Process

See: docs/governance/amendment_policy.md

Summary:

  • Policy changes require community discussion

  • Major changes need governance approval

  • Always maintain Apache-2.0 compatibility

[!NOTE] This document provides guidance, not legal advice. For legal questions, consult a qualified attorney.

References

Contact

License Questions: legal@pythonwoods.com
Technical Support: dev@pythonwoods.com