licensing for OpenControl repositories

afeld commented 8 years ago

We have a number of repositories with different (or no) license files, and should probably decide on one...or at least a default. At 18F, we use CC0 with an explanation at the top:

https://github.com/18F/open-source-policy/blob/master/LICENSE.md

Would be simplest for the 18F staff to go with CC0 for consistency on our side (since our contributions are public domain), but not sure if we want to pick something that addresses patents.

https://wiki.creativecommons.org/wiki/CC0_FAQ#May_I_apply_CC0_to_computer_software.3F_If_so.2C_is_there_a_recommended_implementation.3F

Thoughts?

brittag commented 8 years ago

I made a quick list of license statuses for repositories in this org, to help us think about this:

US public domain + CC0 internationally

US public domain + Apache v2 internationally

https://github.com/opencontrol/SIMP

AGPL + additions that are US public domain and CC0 internationally

https://github.com/opencontrol/ATOdashboard

Apache v2

CC0

https://github.com/opencontrol/cf-compliance-DEPRECATED

CC0 but file is slightly confusingly labeled Apache v2

https://github.com/opencontrol/opencontrol-website

No license

brittag commented 8 years ago

Based on that list, here's a hypothetical way we could turn what seems to be OpenControl's usual practices into a set of recommendations:

The team that starts a project (or moves it into the OpenControl org) decides the license of that project, taking into consideration recommendations from OpenControl that are intended to help maximize reusability and interoperability. These recommendations could be something like:
- If 18F starts a project, 18F applies its standard dedication (US public domain + CC0 international), modified to add a standard patent non-assertion pledge. Other people contributing to that project agree to dedicate their contributions under that dedication.
- If another US federal government team starts a project, they should consider applying this 18F standard dedication to their work.
- If a non-government team starts a project, they should consider applying Apache v2 (or CC0 with a patent non-assertion pledge). US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.
- If any non-government team starts a little repository with just content or experiments, consider applying CC0 rather than having no license.
- If any team forks and adapts a project from somewhere else, carefully retain and comply with the license (and credit the original authors even if not required). Again, US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.

afeld commented 8 years ago

Any non-18F folks have strong feelings about this?

pburkholder commented 8 years ago

@gregelin ^^ thoughts?

gregelin commented 8 years ago

@pburkholder @afeld This gets to the governance question. Seems reasonable that any repo that is part of OpenControl must have an open source license.

At moment, I don't have strong opinion regarding requiring a particular open source license. I'm OK with @brittag's recommendations. Happy to add a general/permissive open source license to what GovReady contributes.

adamcrosby commented 7 years ago

Not sure if this should be a tag on this issue (seems like it) or a new one, but the OpenControl fork of my xccdf-tsv tool (mine: https://github.com/adamcrosby/xccdf2tsv OC: https://github.com/opencontrol/xccdf2csv) was updated to include a CC0 license attribution, which is in violation of the terms in the original content (CC-SA, which requires downstream to retain same license). My copyright header is still in the python file, and it says CC-SA, but the repo readme says the license is CC0.

brittag commented 7 years ago

Thanks @adamcrosby - good catch, that fork should have carried forward the license instead of changing it. Checking this, looks like your readme says by-sa but the Python file says by-nc-sa - should the fork carry forward that combination (so people would follow the more restrictive one by default)?

Pinging @JJediny (author of the post-fork commits) to fix this in the fork. :)

adamcrosby commented 7 years ago

@brittag I'll update the original python in the repo to be less restrictive (by-SA is fine). Unsure how you'd like to move that change into the OpenControl repo (I can submit a PR against your repo if that's necessary, or I'm OK with @JJediny just making the edit in his update as well. Thanks!

its-a-lisa commented 4 years ago

The FAQ page says the following:

The code portions are all licensed under Apache 2.0, except what has been contributed directly by the US Government, which is in the public domain within the US. Internationally, the US Government licenses its code under Creative Commons Zero 1.0. All written content has been licensed as Creative Commons Zero.

Suggest closing this issue as resolved.

opencontrol / discuss

licensing for OpenControl repositories #7