Licence for tool source

Question

Licence for tool source

frasertweedale opened this issue a year ago · comments

SPDX does not offer a general "public domain" declaration, and the concept of "public domain"
is legally problematic. See https://wiki.spdx.org/view/Legal_Team/Decisions/Dealing_with_Public_Domain_within_SPDX_Files
for an overview of the issues.

Therefore we should consider choosing a copyright licence for the tool source code. Most or all of our
current dependencies use BSD-3-Clause.

The advisories themselves can remain public domain.

David Thrane Christiansen · Answer 1 · Tue May 16 2023 20:45:06 GMT+0800 (China Standard Time)

Public domain is indeed problematic. For instance, it doesn't exist at all in some jurisdictions.

Isn't this what CC0 is created to address?

Fraser Tweedale · Answer 2 · Tue May 16 2023 21:02:06 GMT+0800 (China Standard Time)

Here is some commentary on using CC0 for software:

I'm comfortable with CC0. And so far you are the only author, so I guess CC0 it is :)
We can confirm it at the next meeting.

David Thrane Christiansen · Answer 3 · Tue May 16 2023 21:05:38 GMT+0800 (China Standard Time)

Well, the work is owned by my employer, the Haskell Foundation :-)

Putting on my HF ED hat, I think that either a BSD-style or CC0 is best. Let me puzzle a bit more over it - I want to weigh the surprise factor against the minimal additional liberality.

Fraser Tweedale · Answer 4 · Thu May 18 2023 04:09:34 GMT+0800 (China Standard Time)

Google apparently does not like contributing to projects using CC0.

Fraser Tweedale · Answer 5 · Thu May 18 2023 04:11:39 GMT+0800 (China Standard Time)

Decision: BSD-3-Clause

David Thrane Christiansen · Answer 6 · Thu May 18 2023 04:14:05 GMT+0800 (China Standard Time)

TODO:

We need to clearly communicate to those who submit proofs of concept, vulnerability descriptions, etc that it'll be CC0
The code license needs to be clear in the repo, as well as its separation from the content license