Date
1 - 9 of 9
TR: SPDX standard: files are placed in public domain
|
RUFFIN MICHEL
Dear all, once again on a different topic within our current effort in implementing the SPDX standard.
Here it is a licensing issue.
I am not very comfortable with the licensing issue for the data when using the standard. See the quick Analysis of Barry below our Senior attorney on IP issues and I have a quick chat today with him on that subject.
I am not very happy that data must be made in public domain. For the following reasons: - ALU should not be responsible of the data if we export it. And I understand that ther e is a clause that loow us to do exception (ALU name not exported with the data, but it should be the other way around by default any export file should not imply any responsibility from exporting company). - if by mischance there are some comments which we will not want to share with the rest of the world. It should be protected by the licensing conditions.
Legally speaking implementing a format that implies some obligation on the data is unclear.
So my question is what is the rational for these licensing conditions and can we alleviate them a bit?
Michel.Ruffin@..., PhD De : Freedman, Barry H (Barry)
Michel and all: I have looked at the Open Data Commons Public Domain Dedication and License 1.0 (“PDDL-1.0”), which is the license for SPDX 1.0, and also Creative Commons CC0 1.0 Universal license, which is the license for SPDX1.1. They are both essentially the same, in that they place the SPDX file itself in the public domain, meaning that we have no further copyright rights therein. But, both versions also make it clear that we can temporarily or permanently limit, by a separate and independent agreement, recipients from (i) distribution of a specific aggregation (collection) of SPDX files to others or (ii) disclosing ALU as the source and/or creator of any specific SPDX file(s).
So, we need to be comfortable that the SPDX file itself (including comments in the file) does not contain anything that we do not want to dedicate. Perhaps we can discuss this further at the next FOSS EC meeting.
Let me know if there are questions. Thx. Barry
Barry H. Freedman Intellectual Property
and Standards Cell:
908-692-6773 CONFIDENTIALITY
NOTICE |
|
|
|
Peter Williams <peter.williams@...>
On Fri Jun 15 09:37:17 2012, RUFFIN, MICHEL (MICHEL) wrote:
I am not very happy that data must be made in public domain. For theJust to clarify, is it your desire to be allowed to license SPDX files that you produce under terms of your choice? Or are you suggesting that we change the required licensing of SPDX to include a disclaimer of some sort? Regarding the second bullet, can you provide examples of scenarios where confidentiality agreements (which until now have been the proposed solution to this problem) between you and your partners would be insufficient? Thanks in advance, Peter |
|
|
|
RUFFIN MICHEL
I need to think a little bit about it with our lawyers on the potential consequences before answering you.
toggle quoted message
Show quoted text
What I want is freedom, to exchange information between companies without constraints. If we need constraints, we put it in the contract. It is not to SPDX to put the constraints. Let us time to think about consequences/consraints, ... before addressing the issue. But the question is what was the purpose of this initially? Michel.Ruffin@..., PhD Software Coordination Manager, Bell Labs, Corporate CTO Dpt Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France -----Message d'origine-----
De : Peter Williams [mailto:peter.williams@...] Envoyé : vendredi 15 juin 2012 22:25 À : RUFFIN, MICHEL (MICHEL) Cc : Freedman, Barry H (Barry); spdx@... Objet : Re: TR: SPDX standard: files are placed in public domain On Fri Jun 15 09:37:17 2012, RUFFIN, MICHEL (MICHEL) wrote: I am not very happy that data must be made in public domain. For theJust to clarify, is it your desire to be allowed to license SPDX files that you produce under terms of your choice? Or are you suggesting that we change the required licensing of SPDX to include a disclaimer of some sort? Regarding the second bullet, can you provide examples of scenarios where confidentiality agreements (which until now have been the proposed solution to this problem) between you and your partners would be insufficient? Thanks in advance, Peter |
|
|
|
Peter Williams <peter.williams@...>
On Fri Jun 15 14:40:49 2012, RUFFIN, MICHEL (MICHEL) wrote:
But the question is what was the purpose of this initially?It is a excellent question. I have never understood this purpose of this "feature" of SPDX so someone else will have to provide the answer. Peter |
|
|
|
Kevin P. Fleming <kpfleming@...>
On 06/15/2012 03:53 PM, Peter Williams wrote:
On Fri Jun 15 14:40:49 2012, RUFFIN, MICHEL (MICHEL) wrote:I suspect that it may be at least partially based on the fact that the SPDX file consists almost exclusively of data collected from original sources, and copyright law (at least as I've been told, I'm no lawyer) doesn't provide my copyright protection at all for aggregation of otherwise available data. In essence, an SPDX file may not adequately constitute a 'work of authorship' that warrants copyright protection, and thus there really wouldn't be a legitimate way to control its distribution via licensing.But the question is what was the purpose of this initially?It is a excellent question. I have never understood this purpose of this This is just a mildly educated guess late on a Friday afternoon, though. I could be 1000% off base :-) -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org |
|
|
|
RUFFIN MICHEL
It is not a definite answer, but discussing with our people implementing the spec (marc-Etienne in cc)it seems that the checksums would be usefull to compare package between companies, but I do not see a need for the package tar name
toggle quoted message
Show quoted text
Michel.Ruffin@..., PhD Software Coordination Manager, Bell Labs, Corporate CTO Dpt Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France -----Message d'origine-----
De : spdx-bounces@... [mailto:spdx-bounces@...] De la part de Kevin P. Fleming Envoyé : vendredi 15 juin 2012 23:06 À : spdx@... Objet : Re: TR: SPDX standard: files are placed in public domain On 06/15/2012 03:53 PM, Peter Williams wrote: On Fri Jun 15 14:40:49 2012, RUFFIN, MICHEL (MICHEL) wrote:I suspect that it may be at least partially based on the fact that theBut the question is what was the purpose of this initially?It is a excellent question. I have never understood this purpose of this SPDX file consists almost exclusively of data collected from original sources, and copyright law (at least as I've been told, I'm no lawyer) doesn't provide my copyright protection at all for aggregation of otherwise available data. In essence, an SPDX file may not adequately constitute a 'work of authorship' that warrants copyright protection, and thus there really wouldn't be a legitimate way to control its distribution via licensing. This is just a mildly educated guess late on a Friday afternoon, though. I could be 1000% off base :-) -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx |
|
|
|
Bradley M. Kuhn <bkuhn@...>
Kevin Fleming wrote at 17:05 (EDT) on Friday:
[An] SPDX file consists almost exclusively of data collected fromI'd suspect strongly that there *is* an arrangement copyright on the arrangement someone makes. I hope SPDX has done something to deal with this fact. Arrangement copyrights are usually pretty thin, but I do think that arranging data into an SPDX file is a creative expression. It's clear from reading the spec that there's different ways to arrange the same data into an SPDX file. -- -- bkuhn |
|
|
|
Jilayne Lovejoy <jilayne.lovejoy@...>
In response to Michel's initial question about CC-0 (and subsequent
responses): Here's some of the back story: This was an issue that the legal work group spent a vast amount of time discussing. Initially we had decided on the PddL license, but got some pretty severe push-back for that license during LinuxCon North America and 1.0 release last August. So, it was back to the drawing board. Due to the many meetings spent discussing this (which may be captured to varying degrees in the meeting minutes around that time...), Mark Gisi (thanks Mark!) posted a summary of the reason for having a license and then the pros and cons of the various license options discussed on its own page (see http://spdx.org/wiki/spdx-metadata-license-rationale-cc0) for easy reference, transparency, and historical purposes. Once we decided on CC-0, we reached out to various community members (including those specifically who had expressed discomfort with PddL) to make sure the new decision was amenable. That is a very short summary of the process. The webpage referenced above provides a good overview, but naturally does not capture the nuances and details of the concerns, rationale, and so forth raised during those discussions. Michel - from, your previous email, it sounds like you've got an eye brow raised, but are still formulating exactly what the exact concern is. (I do think that the goal of using an open, permissive license, if one at all, was to facilitate free exchange, which appears to be part of your concern.) In any case, perhaps the above information will help a bit and if you have further concerns, I might suggest either asking for an agenda item on one of the legal calls or I can simply set up a call with some of the key people who were involved in the above process - which ever is more appropriate. Consequently, I have now included this email on the SPDX Legal group list as well, as others may be able to weigh in. The relevant bits from the various emails are cut and pasted below (separated by a dotted line) for reference for those who missed this on the general SPDX mailing list. Incidentally - Kevin and Bradley both had good points in regards to the potential legal analysis. The other piece of that puzzle concerns the reality that E.U. law does allow database protection (of facts, that would otherwise not be considered protectable under, U.S. law, for example). If anyone is interested in learning more about this, there is an excellent article here: http://www.ifosslr.org/ifosslr/article/view/62 (but don't go learning too much about this law stuff, as you might put us out of work ;) Cheers, Jilayne Jilayne Lovejoy | Corporate Counsel OpenLogic, Inc. jlovejoy@... | 720 240 4545 ------------ On Fri Jun 15 09:37:17 2012, RUFFIN, MICHEL (MICHEL) wrote: I am not very happy that data must be made in public domain. For theJust to clarify, is it your desire to be allowed to license SPDX files that you produce under terms of your choice? Or are you suggesting that we change the required licensing of SPDX to include a disclaimer of some sort? Regarding the second bullet, can you provide examples of scenarios where confidentiality agreements (which until now have been the proposed solution to this problem) between you and your partners would be insufficient? Thanks in advance, Peter --------------- What I want is freedom, to exchange information between companies without constraints. If we need constraints, we put it in the contract. It is not to SPDX to put the constraints. Let us time to think about consequences/consraints, ... before addressing the issue. But the question is what was the purpose of this initially? Michel.Ruffin@..., PhD Software Coordination Manager, Bell Labs, Corporate CTO Dpt Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France ---------------- On 6/15/12 3:05 PM, "Kevin P. Fleming" <kpfleming@...> wrote: On 06/15/2012 03:53 PM, Peter Williams wrote:On Fri Jun 15 14:40:49 2012, RUFFIN, MICHEL (MICHEL) wrote:I suspect that it may be at least partially based on the fact that theBut the question is what was the purpose of this initially?It is a excellent question. I have never understood this purpose of this |
|
|
|
RUFFIN MICHEL
As you say (I like the expression) my concern about this license is more like getting an eye brow raised; What does this license implies?
toggle quoted message
Show quoted text
If I want to export data from our DB, I will not make it public but aim a specific company/group to do it. If this is partner or a non profit organization, the data will be provided without any liability from ALU that it is correct (we can do mistake) the goal is to help the partner, non profit organization. If it is a customer we will probably take a little more commitment and we will add a clause such as "to the best of our knowledge this data is accurate" or something like this. But in any case we will not provide this data with the name of our company as public domain our lawyers will not accept that. The subject is so complex that there is necessary mistakes. Now a disclaimer of warranty and liability is not enough. If I publish a list of software in which I say this software is LGPL, while in fact it is GPL I can be sued for GPL infringement. In addition our DB is not SPDX compliant is the way that there are some field which interpret FOSS license according to ALU policy, special deals done with copyright owners to interpret license differently or have special permissions, consideration regarding patents (ALu or external), ... We are doing currently a cleaning to separate this information from what we can export, but with 200 people feeding independently and continually our database we cannot guarantee that some confidential information will not be in the export file. So public domain is out of question. That's for the use case. Now on the legal side. If I generate an export file and I write "Alcatel-Lucent proprietary data - confidential" This is in contradiction with the license saying data must be in public domain. What does the judge decide in this case? I asked the question to our lawyers and they say it is unclear but they are not sure that presenting proprietary data according to a standard might impose a license on the data. I will be happy to participate to a conf call on the subject, this need clarification and can jeopardize the success of SPDX. But one of our lawyers (Barry) should be present to understand and explain the implication of this license. Michel Michel.Ruffin@..., PhD Software Coordination Manager, Bell Labs, Corporate CTO Dpt Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France -----Message d'origine-----
De : spdx-bounces@... [mailto:spdx-bounces@...] De la part de Jilayne Lovejoy Envoyé : vendredi 22 juin 2012 03:03 À : Kevin P. Fleming; spdx@... Cc : SPDX-legal Objet : Re: TR: SPDX standard: files are placed in public domain In response to Michel's initial question about CC-0 (and subsequent responses): Here's some of the back story: This was an issue that the legal work group spent a vast amount of time discussing. Initially we had decided on the PddL license, but got some pretty severe push-back for that license during LinuxCon North America and 1.0 release last August. So, it was back to the drawing board. Due to the many meetings spent discussing this (which may be captured to varying degrees in the meeting minutes around that time...), Mark Gisi (thanks Mark!) posted a summary of the reason for having a license and then the pros and cons of the various license options discussed on its own page (see http://spdx.org/wiki/spdx-metadata-license-rationale-cc0) for easy reference, transparency, and historical purposes. Once we decided on CC-0, we reached out to various community members (including those specifically who had expressed discomfort with PddL) to make sure the new decision was amenable. That is a very short summary of the process. The webpage referenced above provides a good overview, but naturally does not capture the nuances and details of the concerns, rationale, and so forth raised during those discussions. Michel - from, your previous email, it sounds like you've got an eye brow raised, but are still formulating exactly what the exact concern is. (I do think that the goal of using an open, permissive license, if one at all, was to facilitate free exchange, which appears to be part of your concern.) In any case, perhaps the above information will help a bit and if you have further concerns, I might suggest either asking for an agenda item on one of the legal calls or I can simply set up a call with some of the key people who were involved in the above process - which ever is more appropriate. Consequently, I have now included this email on the SPDX Legal group list as well, as others may be able to weigh in. The relevant bits from the various emails are cut and pasted below (separated by a dotted line) for reference for those who missed this on the general SPDX mailing list. Incidentally - Kevin and Bradley both had good points in regards to the potential legal analysis. The other piece of that puzzle concerns the reality that E.U. law does allow database protection (of facts, that would otherwise not be considered protectable under, U.S. law, for example). If anyone is interested in learning more about this, there is an excellent article here: http://www.ifosslr.org/ifosslr/article/view/62 (but don't go learning too much about this law stuff, as you might put us out of work ;) Cheers, Jilayne Jilayne Lovejoy | Corporate Counsel OpenLogic, Inc. jlovejoy@... | 720 240 4545 ------------ On Fri Jun 15 09:37:17 2012, RUFFIN, MICHEL (MICHEL) wrote: I am not very happy that data must be made in public domain. For theJust to clarify, is it your desire to be allowed to license SPDX files that you produce under terms of your choice? Or are you suggesting that we change the required licensing of SPDX to include a disclaimer of some sort? Regarding the second bullet, can you provide examples of scenarios where confidentiality agreements (which until now have been the proposed solution to this problem) between you and your partners would be insufficient? Thanks in advance, Peter --------------- What I want is freedom, to exchange information between companies without constraints. If we need constraints, we put it in the contract. It is not to SPDX to put the constraints. Let us time to think about consequences/consraints, ... before addressing the issue. But the question is what was the purpose of this initially? Michel.Ruffin@..., PhD Software Coordination Manager, Bell Labs, Corporate CTO Dpt Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France ---------------- On 6/15/12 3:05 PM, "Kevin P. Fleming" <kpfleming@...> wrote: On 06/15/2012 03:53 PM, Peter Williams wrote:On Fri Jun 15 14:40:49 2012, RUFFIN, MICHEL (MICHEL) wrote:I suspect that it may be at least partially based on the fact that theBut the question is what was the purpose of this initially?It is a excellent question. I have never understood this purpose of this _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx |
|
|
