search

Festo-se / cyclonedx-editor-validator

Tool for creating, modifying and validating CycloneDX SBOMs.
https://festo-se.github.io/cyclonedx-editor-validator/
GNU General Public License v3.0
16 stars 4 forks source link

chore: Add GPL-3.0 license header comment #210

Closed mmarseu closed 3 weeks ago

mmarseu commented 1 month ago

Fixes #194

Additionally, the license has been changed from GPL-3.0-only to GPL-3.0-or-later. This makes it much easier to keep using our code in the distant future when a hypothetical GPL-4.0 comes around and starts being adopted. It is safe to assume that later versions of the GPL will not change its spirit which is what counts.

github-actions[bot] commented 1 month ago

Coverage

Coverage Report •
FileStmtsMissCoverMissing
__main__.py3202093%217–218, 235, 245, 659–660, 664–669, 671, 674, 684–687, 691, 848
build_public_bom.py610100% 
error.py210100% 
log.py54394%33, 45–46
merge.py181497%276–277, 280–281
merge_vex.py31196%72
pkg.py40100% 
set.py1331787%65–66, 69, 71, 74, 78, 82–86, 105, 133, 142, 173, 176, 197
amend
   command.py340100% 
   license.py130100% 
   operations.py210597%388, 393, 431, 457, 525
auxiliary
   filename_gen.py580100% 
   identity.py84396%20, 60, 88
   output.py54198%99
   sbomFunctions.py140397%68, 76, 153
validator
   customreports.py851088%46–47, 54–57, 97, 148–149, 175
   helper.py480100% 
   validate.py79494%41, 89, 105, 140
TOTAL16107195% 

Tests Skipped Failures Errors Time
287 2 :zzz: 0 :x: 0 :fire: 4.467s :stopwatch:
italvi commented 1 month ago

@mmarseu Why not simply add the SPDX-ID GPL-3.0-or-later in the header as described here?

mmarseu commented 4 weeks ago

I've added the copyright line but I'm unsure whether it should really have the years. We've already had this discussion in another issue, I think. It's not legally required and it creates a technical burden to maintain.

italvi commented 4 weeks ago

I've added the copyright line but I'm unsure whether it should really have the years. We've already had this discussion in another issue, I think. It's not legally required and it creates a technical burden to maintain.

I've had a discussion with our legal department regarding this topic and the preferred way is to include the current year of modification, e.g. only change the year, when the file itself was changed, otherwise you can keep the year.

mmarseu commented 4 weeks ago

Does that imply there is no range of years but only the year of the last modification?

Example: # Copyright 2024 Festo SE & Co. KG becomes # Copyright 2025 Festo SE & Co. KG the first time the file is touched in 2025?

italvi commented 4 weeks ago

It seems like there are really different opinions, according to the EU placing the year the work was created is sufficient, as you have copyright per default. But looking at best practices from e.g. GNU they agree on your ranges.

However, looking at the Berne Convention maybe you were right from the start and the best thing is to not include copyright at all. I think it would be only required if we have many different contributors from outside of Festo, which is not the case - up to now.

mmarseu commented 4 weeks ago

It seems like there are really different opinions, according to the EU placing the year the work was created is sufficient, as you have copyright per default.

Let's say it surprised me that a lawyer would argue to only have the year of last modification. That's why I asked if that's what they meant. From all I know about copyright law (which isn't very much) that would be shooting ourselves in the foot.

But looking at best practices from e.g. GNU they agree on your ranges.

Small wonder since that's where I copied the statement from 😆

However, looking at the Berne Convention maybe you were right from the start and the best thing is to not include copyright at all. I think it would be only required if we have many different contributors from outside of Festo, which is not the case - up to now.

Copyright automatically applies, no statement is legally necessary. The statement still serves the purpose to make this fact very evident to any reader. I don't think it's entirely useless. Just the year is really not important, I'd say. We have the repository history to prove at what time we have written which code.

On the other hand, if we wanted to claim copyright on the code and be totally above board, we'd have to either not accept outside contributions to this project at all or set up a CLA process. Because if we accept somebody else's code into our codebase and they haven't signed an agreement to sign over the copyright to Festo, then the copyright claim would be wrong. They would technically hold the copyright to their part of the code. For now that's not a problem, there has never been an outside contributor.

italvi commented 3 weeks ago

On the other hand, if we wanted to claim copyright on the code and be totally above board, we'd have to either not accept outside contributions to this project at all or set up a CLA process. Because if we accept somebody else's code into our codebase and they haven't signed an agreement to sign over the copyright to Festo, then the copyright claim would be wrong. They would technically hold the copyright to their part of the code. For now that's not a problem, there has never been an outside contributor.

I will discuss this topic further internally and think about introducing a CLA process.