Introduction + question about CC0/confidentiality in SPDX 2.2
Haipola, Anna (Nokia - FI/Espoo)
I have recently joined the SPDX legal mailing list and wanted to give a short introduction. My name is Anna Haipola and I am a Legal Counsel supporting the Open Source Program Office at Nokia. I am based in Espoo, Finland. I attended my first external event related to open source software last week at the OSPOlogy.live workshop in Stockholm, and it was truly inspiring to meet professionals working with the same topics in other organizations. I look forward to more collaboration.
The reason why I wanted to get in touch with the SPDX legal team was that I had a question related to the section 2.2.2 of the SPDX Specification (version 2.2). SPDX-Metadata is subject to the terms of the Creative Commons CC0 1.0 Universal license. Section 2.2.2 further states: “This approach
avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract with each other to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.”
I was unsure whether this meant that even though the data related to the SPDX fields can be distributed freely under CC0, collections of SPDX files could be protected under confidentiality clauses agreed upon between the SPDX document creator and the recipient. I would be happy to discuss this matter in one of the upcoming Legal Team meetings. I will be joining tomorrow’s meeting, so happy to provide some more details on this proposed agenda item there if there is time.
Looking forward to meeting you tomorrow.
This e-mail and any attachments hereto may contain information that is privileged or confidential,
Please consider the environment before printing this e-mail.
Hi Anna,toggle quoted messageShow quoted text
You have interpreted the CC0-1.0 designation and comment regarding confidentiality correctly. (Note, it is now section 6.2 in version 2.3 of the spec: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/ )
There was much discussion on this in the very, very early days of SPDX which probably can be found in early email archives or meeting minutes. I haven't dug around, but from my memory of those discussion: The vision of SPDX is "to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability." This was born out of the reality of various entities asking for and passing around software bill of materials information in different format, often not sharing that information upstream or downstream. The ultimate ideal scenario would be if SPDX documents accompanied software throughout the supply chain. It was important that the standard be open, but also that people could not create an SPDX document and then assert some rights or control upon that information. Thus, CC0-1.0 and the accompanying explanation was chosen to alleviate that concern and signal the desire of an open exchange of this information. At the same time, we wanted to recognize the reality that some entities may feel that the information contained in an SPDX document could expose confidential information and thus may not want everything to be openly available.
Not sure if there's something to discuss here, but happy to have you join any and all of the SPDX legal calls!
On 10/26/22 8:26 AM, Haipola, Anna (Nokia - FI/Espoo) wrote: