Handling dates in copyright headers

[justaugustus]

From @/swinslow in https://github.com/ossf/scorecard/pull/1532#discussion_r792935609:

(@justaugustus for visibility, I'm no longer employed by the LF, so I'm not speaking on their behalf here in any official way) :)

The LF's general guidance to projects over the past few years has been to recommend a copyright notice form that omits the year. I had previously written up a blog post that describes a "generalized" copyright notice format in some detail, which was related to earlier guidance for CNCF.

The main reason for this recommendation was to avoid the sort of question raised here: e.g. developers wondering every January whether or not to bump the notice up to the next year; with the real answer depending on an analysis of copyrightability of particular contributions that generally goes beyond what folks want to get into. And since the year is not mandatory in order for a work to be copyrighted, some projects have made the decision to omit it.

Keep in mind the caveats that (1) there's nothing wrong with including the year, this was just one recommendation; and (2) you'd never want to modify a copyright notice that names a particular third party without their consent.

Hope this helps :)

From @laurentsimon in https://github.com/ossf/scorecard/pull/1532#discussion_r792988962:

Thanks for the feedback. Let's discuss this in an issue and address it via a PR if we decide to update the dates or remove them entirely. @justaugustus can you create a tracking issue?

From @david-a-wheeler in https://github.com/ossf/scorecard/pull/1532#issuecomment-1022512530:

Given the previous comments from @/swinslow , we might want to change all copyright statements to something like:

// Copyright Security Scorecard Authors

See Copyright Notices in Open Source Software Projects. I believe the legal requirement for the copyright statement (with the date) ended in the US in 1976 :-).

[singhsaurabh]

As a new in OpenSource Community, I would like to take this ticket to work on.

[singhsaurabh]

I would like to understand more on this ticket. Thank You

[justaugustus]

DISCLAIMER: I am not a lawyer

A few thoughts, some of which will echo https://github.com/kubernetes/repo-infra/issues/248:

• generated files should not require dates in the copyright header
• most files probably do not require dates in the copyright header
• OpenSSF projects should probably use Copyright OpenSSF Authors instead of Copyright <project> Authors moving forward

[justaugustus]

• generated files should not require dates in the copyright header

From Ed Warnicke in https://github.com/kubernetes/repo-infra/pull/247#issuecomment-1023720141:

Out of curiosity... are you checking for copyrights in generated files? I ask, because typically I tend to think of copyright checks as linting, and linters aren't supposed to lint generated files. Typically linters don't lint generated files, detecting that they are generated by looking for the pattern at the top of generated files:

^// Code generated .* DO NOT EDIT\.$

Per https://pkg.go.dev/cmd/go#hdr-Generate_Go_files_by_processing_source

[justaugustus]

I would like to understand more on this ticket.

So I guess to more concretely answer this, a few things need to happen:

1. Scorecard maintainers (@naveensrinivasan @azeemshaikh38 @laurentsimon me) need to decide if it's fine to elide the copyright date in all files (I'm personally fine with it)
2. OpenSSF and scorecard maintainers need to decide if it's preferred to use OpenSSF Authors as the copyright holder for content in this repo and potentially elsewhere
3. Someone (@singhsaurabh) will update the copyright headers in this repo (as well as any tests that enforce them) based on the decisions on 1 and 2

[laurentsimon]

I'm fine with all the above.

[singhsaurabh]

Thanks @justaugustus

[azeemshaikh38]

@singhsaurabh I have added this item in our bi-weekly. If you drop by, we can discuss this over call.

[singhsaurabh]

Thank you @azeemshaikh38

[caniszczyk]

You can infer the LF stance from CNCF's copyright header policy, we updated it not so long ago: https://github.com/cncf/foundation/blob/main/copyright-notices.md#copyright-notices

There's also information here: https://www.linuxfoundation.org/blog/copyright-notices-in-open-source-software-projects/

[justaugustus]

Based on the feedback from @caniszczyk here and @mkdolan here, we should be fine to move forward with:

• Non-generated files: Copyright [YYYY] OpenSSF Scorecard Authors
• Generated files: Copyright OpenSSF Scorecard Authors

Some discussion and changes to this effect have started in https://github.com/ossf/scorecard/pull/2428.