Added License file

[Ayush9026]

Description

This PR solves issue https://github.com/theupdateframework/community/issues/7

[lukpueh]

Why MIT? The issue explicitly mentions Apache 2.0. Also, maybe we can use CSL for this repo like we do for the TUF spec? (see https://github.com/theupdateframework/specification/pull/289)

cc @JustinCappos

[Ayush9026]

Okay @lukpueh sir i will add which @JustinCappos sir tell.

[JustinCappos]

TUF's reference implementation is dual licensed, with both MIT and Apache 2.0. However, this isn't a source code repository. So it really doesn't make sense to think about a source code license here. The community license is also not the specification. (I'd appreciate your help ensuring that the spec repo is correctly CSL 1.0 licensed and follows all of the documented steps for having contributions).

I think that since this repo only contains documentation, it should be CC 4.0 International BY licensed or similar. Please propose this on the #tuf channel and see if anyone objects.

[Ayush9026]

@JustinCappos sir i asked in #tuf channel here did not get any response.

[JustinCappos]

Okay, please switch to CC-BY-4.0

[Ayush9026]

Thank you @JustinCappos sir for the clarification. I have updated the license to Creative Commons Attribution 4.0 International (CC-BY-4.0) as requested. Please review the changes, and let me know if everything aligns with your requirements

[JustinCappos]

One thing to check, do we need a SPDX license header or similar for this?

[Ayush9026]

Thank you @JustinCappos sir for raising this concern. I will await your confirmation regarding the SPDX license header before proceeding with the addition. Once you've reviewed and approved, I'll ensure it's included in the License file accordingly.

[JustinCappos]

Okay, please look for best practices, etc. and see what we should do here. I'd be happy to learn the right way from what you find. I'm not sure if the SPDX header is only applied to individual files, to the license itself, or something else.

On Sun, May 26, 2024 at 10:40 AM Ayush Gupta @.***> wrote:

Thank you @JustinCappos https://github.com/JustinCappos sir for raising this concern. I will await your confirmation regarding the SPDX license header before proceeding with the addition. Once you've reviewed and approved, I'll ensure it's included in the License file accordingly.

— Reply to this email directly, view it on GitHub https://github.com/theupdateframework/community/pull/16#issuecomment-2132245878, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD4WV3JVGATRP65V6CLZEHX4XAVCNFSM6AAAAABIGJETNSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZSGI2DKOBXHA . You are receiving this because you were mentioned.Message ID: @.***>

[h4l0gen]

Hi @JustinCappos , I researched about this, First I looked for what CNCF wants from us. So they clearly stated here that Unless otherwise specified, documentation for CNCF projects is licensed under CC-BY-4.0. Code is licensed under Apache 2.0. But I also gathered information from these CNCF graduated projects:

• Knative
• Kubernetes
• Cilium
• Argo
• Cloudevents(all repo contains Apache 2.0)
• Containerd
• etcd
• Falco

Only Knative and etcd contains CC-BY-4.0 license on their community/docs/website repository, else uses Apache-2.0 same as CNCF-techdocs.

Also from knative's CC-BY-4.0 license file and this etcd.io license created by @nate-double-u (honourable member of CNCF/techdocs team itself), we can be assure that CC-BY-4.0 license does not require SPDX license header.

So my vote is also to use CC-BY-4.0 license without SPDX header, as per CNCF guidelines.

SPDX header can be use in Apache-2.0 license, only Knative uses that, they had whole discussion on this here. Other graduated project from above list uses Apache-2.0 license same as cncf/techdocs (without SPDX header)

Side-note: SPDX header is only applied to license itself. @JustinCappos

I hope my effort will help us to move forward. Please make me correct, if I am wrong somewhere 🙏 @JustinCappos @Ayush9026

Thank you 👍

[h4l0gen]

Above research made me to think, that theupdateframework.io also needs Apache 2.0 and CC-BY-4.0 license as written here that,

Most CNCF documentation repositories are a mix of code (website code) and documentation itself, so they need two license files.

So I am raising issue here for website license and If @JustinCappos and others agree then I will create PR in python-tuf too, to add another CC-BY-4.0 license, as it contains docs