-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX Licensing Clarity #492
Comments
You are correct in your understanding that it is expected that SPDX data are licensed under CC0. This has been discussed a number of times in the past, most recently (I think) in #159 , where more pointers to previous discussions are provided. |
Thank you |
@zvr |
Yes, CC0 does permit this, which is one of the reasons it was chosen. see: https://wiki.spdx.org/images/SPDX-TR-2014-1.v1.1.pdf |
Closing this. Please reopen if there is still an issue to be addressed in the specification. |
Hi @kestewart -- I'm reopening this, as I just noticed that it looks like that language fell out of the applicable spec section somewhere between 2.2 and 2.2.1. Looking at https://spdx.github.io/spdx-spec/document-creation-information/#62-data-license-field I'm not seeing it there now. Do you know if this was deleted inadvertently in the 2.2.1 release? |
In the Current SPDX specification, under section 2.2 it states:
By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you "as-is" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law
Based on the above, it appears that any information within an SPDX file, including details like
FileType
,PackageSupplier
,PackageChecksum
and anyRelationships
(i.e SPDX-Metadata) becomes CCO upon release of the SPDX file. Is this a correct interpretation of the above and if so, is there any way to have the SPDX file's data model as CCO but not the data itself within? This is an important concern for proprietary packages whose creators might not want their contents to be CCO but still wish to participate with the SPDX specification.The text was updated successfully, but these errors were encountered: