search

spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
292 stars 140 forks source link

Re-evaluating CC0-1.0 as DataLicense for SPDX 3.0 #159

Closed swinslow closed 4 years ago

swinslow commented 4 years ago

The SPDX 3.0 discussions have included questions being raised about whether CC0-1.0 should be retained as the mandatory DataLicense field for SPDX documents.

The SPDX legal team is gathering details about the historical rationales for why the CC0-1.0 license was initially chosen, and how that is seen as operating in SPDX documents. (Much of these rationales are currently present in the existing spec and on the SPDX wiki.)

For those folks who have asked to make a change to the current CC0-1.0 DataLicense, in order to help evaluate this request, I'd ask that they add comments to this issue explaining specifically:

  1. why they believe that CC0-1.0 is not satisfactory for their anticipated use cases for 3.0, in light of the existing rationales in the spec; and
  2. what specific alternative they would want to see (e.g. DataLicense as a field that can take any license expression, or remove the field altogether, etc.)
kestewart commented 4 years ago

@iamwillbar, @pombredanne - if you have examples, can you share your use cases here, so we can justify doing this. Thanks!

jlovejoy commented 4 years ago

I think I posted this on the mailing list but putting link here too, to make sure folks have the background. We had a write-up explaining the rationale for CC-0 - https://wiki.spdx.org/images/SPDX-TR-2014-1.v1.1.pdf

Also, don't forget the preamble (which should be somewhere besides this...) https://wiki.spdx.org/view/Legal_Team/Decisions/SPDX_Metadata_License:_Preamble_and_CC0_1.0_Universal

swinslow commented 4 years ago

I've raised this on a few prior tech team calls requesting input, and haven't seen any feedback in response to the questions raised above to the folks seeking a license change. So I am inclined to close this issue and stick with CC0-1.0 as the document DataLicense.

swinslow commented 4 years ago

No responses, so closing issue.

MarkAtwood commented 1 year ago

I would like to reopen this issue. Amazon has severe resevations about being required to tag the SBOMs of our internal services and delivered products as CC0, even if there is also an NDA in place. We especially don't want to have "you put a CC0 on it" when someone else publishes something that was provided to them by someone breaking their NDA. The other SBOM standards do not require a CC0 or other license tag.