Re: Introduction + question about CC0/confidentiality in SPDX 2.2
Hi Anna,toggle quoted message Show quoted text
You have interpreted the CC0-1.0 designation and comment regarding confidentiality correctly. (Note, it is now section 6.2 in version 2.3 of the spec: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/ )
There was much discussion on this in the very, very early days of SPDX which probably can be found in early email archives or meeting minutes. I haven't dug around, but from my memory of those discussion: The vision of SPDX is "to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability." This was born out of the reality of various entities asking for and passing around software bill of materials information in different format, often not sharing that information upstream or downstream. The ultimate ideal scenario would be if SPDX documents accompanied software throughout the supply chain. It was important that the standard be open, but also that people could not create an SPDX document and then assert some rights or control upon that information. Thus, CC0-1.0 and the accompanying explanation was chosen to alleviate that concern and signal the desire of an open exchange of this information. At the same time, we wanted to recognize the reality that some entities may feel that the information contained in an SPDX document could expose confidential information and thus may not want everything to be openly available.
Not sure if there's something to discuss here, but happy to have you join any and all of the SPDX legal calls!
On 10/26/22 8:26 AM, Haipola, Anna (Nokia - FI/Espoo) wrote: