licensing for OpenControl repositories about discuss HOT 9 CLOSED

Based on that list, here's a hypothetical way we could turn what seems to be OpenControl's usual practices into a set of recommendations:

• The team that starts a project (or moves it into the OpenControl org) decides the license of that project, taking into consideration recommendations from OpenControl that are intended to help maximize reusability and interoperability. These recommendations could be something like:
  • If 18F starts a project, 18F applies its standard dedication (US public domain + CC0 international), modified to add a standard patent non-assertion pledge. Other people contributing to that project agree to dedicate their contributions under that dedication.
  • If another US federal government team starts a project, they should consider applying this 18F standard dedication to their work.
  • If a non-government team starts a project, they should consider applying Apache v2 (or CC0 with a patent non-assertion pledge). US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.
  • If any non-government team starts a little repository with just content or experiments, consider applying CC0 rather than having no license.
  • If any team forks and adapts a project from somewhere else, carefully retain and comply with the license (and credit the original authors even if not required). Again, US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.

from discuss.

I made a quick list of license statuses for repositories in this org, to help us think about this:

US public domain + CC0 internationally

• https://github.com/opencontrol/fedramp-templater
• https://github.com/opencontrol/compliance-masonry
• https://github.com/opencontrol/doc-template
• https://github.com/opencontrol/schemas
• https://github.com/opencontrol/discuss
• https://github.com/opencontrol/compliance-masonry-go
• https://github.com/opencontrol/OpenControl-YAML-editor

US public domain + Apache v2 internationally

• https://github.com/opencontrol/SIMP

AGPL + additions that are US public domain and CC0 internationally

• https://github.com/opencontrol/ATOdashboard

Apache v2

• https://github.com/opencontrol/toscaviewer
• https://github.com/opencontrol/yaml-to-markdown-task
• https://github.com/opencontrol/concourse-spruce-task
• https://github.com/opencontrol/concourse-gitbook-task

CC0

• https://github.com/opencontrol/cf-compliance-DEPRECATED

CC0 but file is slightly confusingly labeled Apache v2

• https://github.com/opencontrol/opencontrol-website

No license

• https://github.com/opencontrol/freedonia-compliance
• https://github.com/opencontrol/freedonia-frist
• https://github.com/opencontrol/freedonia-aws-compliance
• https://github.com/opencontrol/freedonia-policies
• https://github.com/opencontrol/aws-compliance
• https://github.com/opencontrol/cf-compliance
• https://github.com/opencontrol/nvd-cve-resource
• https://github.com/opencontrol/sctools
• https://github.com/opencontrol/NIST-800-53-Standards
• https://github.com/opencontrol/FedRAMP-Certifications
• https://github.com/opencontrol/example-pipelines
• https://github.com/opencontrol/components
• https://github.com/opencontrol/certifications

from discuss.

Any non-18F folks have strong feelings about this?

from discuss.

@gregelin ^^ thoughts?

from discuss.

@pburkholder @afeld This gets to the governance question. Seems reasonable that any repo that is part of OpenControl must have an open source license.

At moment, I don't have strong opinion regarding requiring a particular open source license. I'm OK with @brittag's recommendations. Happy to add a general/permissive open source license to what GovReady contributes.

from discuss.

Not sure if this should be a tag on this issue (seems like it) or a new one, but the OpenControl fork of my xccdf-tsv tool (mine: https://github.com/adamcrosby/xccdf2tsv OC: https://github.com/opencontrol/xccdf2csv) was updated to include a CC0 license attribution, which is in violation of the terms in the original content (CC-SA, which requires downstream to retain same license). My copyright header is still in the python file, and it says CC-SA, but the repo readme says the license is CC0.

from discuss.

Thanks @adamcrosby - good catch, that fork should have carried forward the license instead of changing it. Checking this, looks like your readme says by-sa but the Python file says by-nc-sa - should the fork carry forward that combination (so people would follow the more restrictive one by default)?

Pinging @JJediny (author of the post-fork commits) to fix this in the fork. :)

from discuss.

@brittag I'll update the original python in the repo to be less restrictive (by-SA is fine). Unsure how you'd like to move that change into the OpenControl repo (I can submit a PR against your repo if that's necessary, or I'm OK with @JJediny just making the edit in his update as well.
Thanks!

from discuss.

The FAQ page says the following:

The code portions are all licensed under Apache 2.0, except what has been contributed
directly by the US Government, which is in the public domain within the US. Internationally, the US Government licenses its code under Creative Commons Zero 1.0. All written content
has been licensed as Creative Commons Zero.

Suggest closing this issue as resolved.

from discuss.