Open bpradipt opened 2 years ago
ariel-adam
commented
1 year ago @bpradipt is this issue still relevant or can be closed? If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?
SamYuan1990
commented
1 year ago add copyright for all files?
Copyright Confidential Containers Contributors
katexochen
commented
1 year ago @bpradipt Is this something we want to enforce? Has there already been a discussion on how existing copyright statements should be handled?
If this is still relevant, feel free to assign me.
bpradipt
commented
1 year ago @bpradipt Is this something we want to enforce? Has there already been a discussion on how existing copyright statements should be handled?
If this is still relevant, feel free to assign me.
@katexochen this issue is still relevant. We are ensuring to add the following copyright statement when adding new code or modifying existing code
Copyright Confidential Containers Contributors@katexochen I assigned the issue to you.
katexochen
commented
1 year ago Just to be clear @bpradipt, that means if a file now has the following copyright header:
// (C) Copyright Foo Corp. 2022.
// SPDX-License-Identifier: Apache-2.0Should it in future look like this:
// (C) Copyright The Confidential Containers Contributors.
// (C) Copyright Foo Corp. 2022.
// SPDX-License-Identifier: Apache-2.0or like this:
// (C) Copyright The Confidential Containers Contributors.
// SPDX-License-Identifier: Apache-2.0We would need explicit permissions to remove existing copy right statements.
cc @stevenhorsman
stevenhorsman
commented
1 year ago Hey Paul, we've had this discussion on a PR in the past and I don't think it is as straight forward.
I know that IBM legal have insisted that we use the IBM Copyright on our contributions to open source and this seems to be a common pattern in kata-containers: e.g. https://github.com/kata-containers/kata-containers/blob/CCv0/src/agent/src/image_rpc.rs
So is compatibly with the CNCF copyright rules: https://github.com/cncf/foundation/blob/main/copyright-notices.md#what-if-i-want-my-copyright-notice-included
Please note that it is not wrong, and it is acceptable, if a contributor wishes to keep their own copyright notices on their contributions. The above is a recommended format for ease of use, but is not mandated by CNCF.
I don't really want to open the can of worms over all of the times that we've not been consistent in using/updating IBM copyright though 😨. I can try and open a discussion with IBM Legal, but that might take a while to resolve
I know it's not the same issue, but in my experience copyright isn't mandatory on files, but license files are https://github.com/cncf/foundation/blob/main/license-notices.md, so that is where kata-containers have chosen to focus their automation (https://github.com/kata-containers/tests/blob/9439ae1c9167ffd49bca6ad2dd3b5edf0841b4f4/.ci/static-checks.sh#L389)
My opinion is that whilst we aren't in a consistent state with copyrights, they aren't required IIRC, and I don't think we should be applying copyright rules in cloud-api-adaptor in isolation of the rest of the CoCo org, so I think this is a TSC question of whether they have any project wide guidance.
katexochen
commented
1 year ago Thanks for your reply @stevenhorsman. I know that this isn't any easy topic (that's why I'm asking :laughing:).
I think the situation is pretty clear here.
As I understand it, the spdx identifier is required, and CNCF grants contributors the right to include their own copyright.
So the only open question would be if we should/can add a line // (C) Copyright The Confidential Containers Contributors. in addition.
As other contributors are granted the same rights to add their copyright when editing files of a project, adding additional copyright shouldn't be a problem.
I think this is a TSC question of whether they have any project wide guidance
But it would for sure be good to get that confirmed from TSC.
bpradipt
commented
1 year ago Tbh, we need to refer to existing CNCF projects for guidance and relying on any project external to CNCF may not be the best thing to do. Anyways I'll try to bring this as a topic in TSC meet and get back.
fitzthum
commented
1 year ago I think we are already generally in compliance with CNCF guidelines for copyright notices. We can discuss further with TSC.
katexochen
commented
1 year ago So I think this was discussed in the TSC meeting, but I'm not sure what the exact result was regarding this specific issue? Aren't we adding a workflow at all? Should we implement my suggestion from https://github.com/confidential-containers/cloud-api-adaptor/issues/79#issuecomment-1607080941?
bpradipt
commented
1 year ago @katexochen yes, we discussed this in TSC and documented it in the status doc. Reproducing the statement here
The recommended copyright statement is "Copyright Confidential Containers Contributors" based on https://github.com/cncf/foundation/blob/main/copyright-notices.md#ownership-of-copyrights-in-cncf-project-contributions So the recommendation is to use the above copyright statement.
We can collectively decide in the peer-pods community meeting whether to apply to only new files, or also include files where copyright is missing. And if at all we need to remove an existing copyright with approval or add to existing copyright
katexochen
commented
9 months ago I thought a bit about this lately, and I think I found a great solution to implement it reliably and so that all requirements can be met:
We already use the SPDX-License-Identifier tag in our file headers. I discovered that there are other useful tags defined by the SPDX spec:
SPDX-FileCopyrightText
Identify the copyright holder of the file, as well as any dates present. This shall be a free-form text field extracted from the actual file.
Examples:
SPDX-FileCopyrightText: 2019 Jane Doe <jane@example.com>
SPDX-FileCopyrightText: Copyright 2008-2010 John Smith
SPDX-FileCopyrightText: Copyright Example Company
SPDX-FileCopyrightText: Copyright contributors to the Foo project.SPDX-FileContributor
This field provides a place for the SPDX document creator to record file contributors. Contributors could include names of copyright holders and/or authors who might not be copyright holders, yet contributed to the file content.
Examples:
SPDX-FileContributor: Modified by Jane Doe
SPDX-FileContributor: The Regents of the University of CaliforniaBy using this fields, the header can be easily parsed by software. We can easily check and sort the header, and people can still add their copyright or contributor name to files in an organized manner.
Based on the CNCF guideline we can use something like below: