Update specification license to Community Specification License 1.0

[idunbarh]

LF started IP/license review of the SBOMit spec and provided feedback that the SBOMit specification needs to be Community Specification License 1.0 licensed per the OpenSSF charter (Section 5, Page 9): https://cdn.platform.linuxfoundation.org/agreements/openssf.pdf

[JustinCappos]

So there was a big issue with this early on (with people strongly arguing we should avoid the OpenSSF) because Apple and other companies don't like the CSL 1.0. We heard from David Wheeler and a few others that they would approve "a reasonable license" and that their charter wasn't meant to exclude, but to include a default.

So, please put me in touch with folks and I can escalate to straighten this out, if need be.

On Fri, Aug 25, 2023 at 11:32 AM Ian Dunbar-Hall @.***> wrote:

LF started IP/license review of the SBOMit spec and provided feedback that the SBOMit specification needs to be Community Specification License 1.0 licensed per the OpenSSF charter (Section 5, Page 9): https://cdn.platform.linuxfoundation.org/agreements/openssf.pdf

— Reply to this email directly, view it on GitHub https://github.com/SBOMit/specification/issues/13, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD6ZZ3LM3QJLNGMD7EDXXDAPZANCNFSM6AAAAAA36VO3WU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[idunbarh]

@JustinCappos, @jeffcshapiro is the reviewer who provided the feedback. I also worked with @hythloda to coordinate the review.

I would use this issue for discussion https://github.com/ossf/tac/issues/191 .

[JustinCappos]

Okay, I replied there. Let's see how it goes!

On Fri, Aug 25, 2023 at 12:24 PM Ian Dunbar-Hall @.***> wrote:

@JustinCappos https://github.com/JustinCappos, @jeffcshapiro https://github.com/jeffcshapiro is the reviewer who provided the feedback. I also worked with @hythloda https://github.com/hythloda to coordinate the review.

I would use this issue for discussion ossf/tac#191 https://github.com/ossf/tac/issues/191 .

— Reply to this email directly, view it on GitHub https://github.com/SBOMit/specification/issues/13#issuecomment-1693617508, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD5WHIRODWPN4JANFLTXXDGSHANCNFSM6AAAAAA36VO3WU . You are receiving this because you were mentioned.Message ID: @.***>

[jeffcshapiro]

Let's wait and not update the license yet until we resolve the issue of which license is best for you, and see if an exception has been / will be granted if you stay with CC-BY-4.0.

[JustinCappos]

Okay, from our community standpoint, the license that the CNCF uses (see clause 11f https://github.com/cncf/foundation/blob/main/charter.md ) is what several community members are strongly in favor of. So, this is what is best for us.

@jeffcshapiro Are you able to approve this license or if not, can you escalate this to someone who can?

[jeffcshapiro]

Understood. Keep in mind the CNCF charter is referring to documentation, not a specification.

It's not up to me, most likely the OpenSSF governing board makes the decision. I will follow up with Amanda @hythloda and anyone else necessary to help get this resolved.

[idunbarh]

Closed by #14