search

CDCgov / template

Template repository with rules, practices, and privacy, license, records notices to help people use the CDCgov GitHub organization.
Apache License 2.0
31 stars 38 forks source link

Question about Apache License #124

Open akim135 opened 2 months ago

akim135 commented 2 months ago

What type of help do you need?

Please describe how you'd like us to help.

Hello,

I had a question about the Apache license that is included as a template in this repo.

All government work is supposed to be in the public domain (in the United States). So, the CDC does not have copyright protection over its work and by that virtue, would not be able to issue licenses that control/restrict the use of its work (permissive or not). For this reason, is it appropriate to include a license (of any form)?

Using a NIST Open-source project Jarvis, as an example, their LICENSE file contains a notification that the work is under the public domain and does not actually contain a license.

Thanks, Allen

Other examples:

boris-ning-usds commented 2 months ago

I highly encourage US federal government work - especially code to be in public domain, but the notion that all government work is supposed to be in public domain is not true. Most notably - a lot of code today within the US defense sector is still classified and not open source.

From a public health perspective though, centers within CDC often do not release their pre-publication or draft codebase for scientific research; and some do, some don't. It really depends.

I believe the usage of Apache was decided maybe by @leebrian - who can provide better context. I actually prefer CC0 1.0 - Creative Commons 0 and Apache / MIT / BSD licenses are fairly copyleft licenses that others in the public can use without much restriction.

The absence of license is difficult to interpret as well, because it leaves the interpretation up to lawyers as to whether no license means completely free usage. I prefer having a license so that the public understands that the codebase we provide in this organization of cdcgov is highly permissive to allow anybody to use as needed without restriction.

leebrian commented 2 months ago

Allen is on my team and had this question and I encouraged him to post here to add more visibility as this question comes up every once in a while.

Let me see if I can remember the details. We worked with a GSA workgroup years ago to develop this default language. First, it's just a default and programs can use whatever license is appropriate. The reason this is the default is that having software in the public domain solely, without a license is more complicated to use because there are questions about compatibility with existing packages. And there's ambiguity because while it's public domain domestically, internationally it is possible to copyright, even though it's pretty rare. So the rationale was to default to Apache as the license and CC0 to make it easier for groups to evaluate if it's possible and to explicitly note that there is no international copyright.

I originally worked with general council back in 2012 to evaluate what licenses are appropriate and documented it under CDC's R&D Lab. Most licenses are valid, so it's just a choice of which one fits the particular needs. For Flu, I think most of our projects are Apache and we'll explicitly note it for clarity. Other programs are free to choose the license they like.

I think it's still good to keep apache as the default in template as I think it's clearer than the example NIST project which effectively has a custom license.

The reason it has both CC0 and Apache is that CC0 is meant to address the copyright and is seems closest to public domain internationally and domestically; while Apache is meant to address the license, warranty, etc. This is a question that comes up as well. It's perfectly legal to have only CC0 or only Apache or only a public domain notice (or nothing at all) so our choice of CC0+Apache is really a usability decision to reduce ambiguity, improve reuse, and make development easier.

leebrian commented 2 months ago

Comically (tragically??) the Federal Source Code website, sourcecode.cio.gov is down and the repo, https://github.com/WhiteHouse/source-code-policy is archived so it's a bit harder to understand how much we align with GSA's overall government wide templates. It was established under the OMB Memo M16-21 but that didn't give much guidance over what license to use, just that agencies should default all projects to open source unless it hits one of the five exceptions.

akim135 commented 2 months ago

I more or less found my answer to this question. What matters is that although the work of the government itself does not have copyright protection, if the work is derived, the copyright protection of the source work needs to be respected.

If we use Apache2-licensed code, then the derived work (even if it is carried out by the government) also needs to be a license that is compatible with Apache2. This is because if we use an Apache-licensed library, the library has copyright protection that needs to be respected, and this fact is compatible with the government's lack of copyright protection. So, I think that in the case that we write code does not depend on any copyright-protected material, it would have to be dedicated to the public domain.

I went through GitHub repos of various federal agencies, and I think the wording of this project illustrates this concept the best.

This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105.

However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. http://opensource.org/licenses/mit-license.php. Under that license, permission is granted free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the conditions that any appropriate copyright notices and this permission notice are included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.