SPDX Licensing Clarity

[dkruszew]

In the Current SPDX specification, under section 2.2 it states:

By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you "as-is" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law

Based on the above, it appears that any information within an SPDX file, including details like FileType, PackageSupplier, PackageChecksum and any Relationships (i.e SPDX-Metadata) becomes CCO upon release of the SPDX file. Is this a correct interpretation of the above and if so, is there any way to have the SPDX file's data model as CCO but not the data itself within? This is an important concern for proprietary packages whose creators might not want their contents to be CCO but still wish to participate with the SPDX specification.

[zvr]

You are correct in your understanding that it is expected that SPDX data are licensed under CC0.

This has been discussed a number of times in the past, most recently (I think) in #159 , where more pointers to previous discussions are provided.

[ghost]

Thank you

[dkruszew]

@zvr
Thanks for the prompt response. The rationale for CC0 was helpful. I noticed in this document a mention that CC0 permits the exchange of SPDX files under confidentiality terms, and I reckon this is the way that some SPDX files will go due to concerns about the distribution of details on proprietary packages.

[kestewart]

Yes, CC0 does permit this, which is one of the reasons it was chosen.

see: https://wiki.spdx.org/images/SPDX-TR-2014-1.v1.1.pdf
for more background as well.

[kestewart]

Closing this. Please reopen if there is still an issue to be addressed in the specification.

[swinslow]

Hi @kestewart -- I'm reopening this, as I just noticed that it looks like that language fell out of the applicable spec section somewhere between 2.2 and 2.2.1. Looking at https://spdx.github.io/spdx-spec/document-creation-information/#62-data-license-field I'm not seeing it there now. Do you know if this was deleted inadvertently in the 2.2.1 release?

[swinslow]

(cc @jlovejoy @pmadick for visibility)