Closed mmarseu closed 3 weeks ago
Coverage Report •
File Stmts Miss Cover Missing __main__.py 320 20 93% 217–218, 235, 245, 659–660, 664–669, 671, 674, 684–687, 691, 848 build_public_bom.py 61 0 100% error.py 21 0 100% log.py 54 3 94% 33, 45–46 merge.py 181 4 97% 276–277, 280–281 merge_vex.py 31 1 96% 72 pkg.py 4 0 100% set.py 133 17 87% 65–66, 69, 71, 74, 78, 82–86, 105, 133, 142, 173, 176, 197 amend command.py 34 0 100% license.py 13 0 100% operations.py 210 5 97% 388, 393, 431, 457, 525 auxiliary filename_gen.py 58 0 100% identity.py 84 3 96% 20, 60, 88 output.py 54 1 98% 99 sbomFunctions.py 140 3 97% 68, 76, 153 validator customreports.py 85 10 88% 46–47, 54–57, 97, 148–149, 175 helper.py 48 0 100% validate.py 79 4 94% 41, 89, 105, 140 TOTAL 1610 71 95%
Tests | Skipped | Failures | Errors | Time |
---|---|---|---|---|
287 | 2 :zzz: | 0 :x: | 0 :fire: | 4.467s :stopwatch: |
@mmarseu Why not simply add the SPDX-ID GPL-3.0-or-later
in the header as described here?
I've added the copyright line but I'm unsure whether it should really have the years. We've already had this discussion in another issue, I think. It's not legally required and it creates a technical burden to maintain.
I've added the copyright line but I'm unsure whether it should really have the years. We've already had this discussion in another issue, I think. It's not legally required and it creates a technical burden to maintain.
I've had a discussion with our legal department regarding this topic and the preferred way is to include the current year of modification, e.g. only change the year, when the file itself was changed, otherwise you can keep the year.
Does that imply there is no range of years but only the year of the last modification?
Example:
# Copyright 2024 Festo SE & Co. KG
becomes # Copyright 2025 Festo SE & Co. KG
the first time the file is touched in 2025?
It seems like there are really different opinions, according to the EU placing the year the work was created is sufficient, as you have copyright per default. But looking at best practices from e.g. GNU they agree on your ranges.
However, looking at the Berne Convention maybe you were right from the start and the best thing is to not include copyright at all. I think it would be only required if we have many different contributors from outside of Festo, which is not the case - up to now.
It seems like there are really different opinions, according to the EU placing the year the work was created is sufficient, as you have copyright per default.
Let's say it surprised me that a lawyer would argue to only have the year of last modification. That's why I asked if that's what they meant. From all I know about copyright law (which isn't very much) that would be shooting ourselves in the foot.
But looking at best practices from e.g. GNU they agree on your ranges.
Small wonder since that's where I copied the statement from 😆
However, looking at the Berne Convention maybe you were right from the start and the best thing is to not include copyright at all. I think it would be only required if we have many different contributors from outside of Festo, which is not the case - up to now.
Copyright automatically applies, no statement is legally necessary. The statement still serves the purpose to make this fact very evident to any reader. I don't think it's entirely useless. Just the year is really not important, I'd say. We have the repository history to prove at what time we have written which code.
On the other hand, if we wanted to claim copyright on the code and be totally above board, we'd have to either not accept outside contributions to this project at all or set up a CLA process. Because if we accept somebody else's code into our codebase and they haven't signed an agreement to sign over the copyright to Festo, then the copyright claim would be wrong. They would technically hold the copyright to their part of the code. For now that's not a problem, there has never been an outside contributor.
On the other hand, if we wanted to claim copyright on the code and be totally above board, we'd have to either not accept outside contributions to this project at all or set up a CLA process. Because if we accept somebody else's code into our codebase and they haven't signed an agreement to sign over the copyright to Festo, then the copyright claim would be wrong. They would technically hold the copyright to their part of the code. For now that's not a problem, there has never been an outside contributor.
I will discuss this topic further internally and think about introducing a CLA process.
Fixes #194
Additionally, the license has been changed from
GPL-3.0-only
toGPL-3.0-or-later
. This makes it much easier to keep using our code in the distant future when a hypothetical GPL-4.0 comes around and starts being adopted. It is safe to assume that later versions of the GPL will not change its spirit which is what counts.