Comments (9)
Based on that list, here's a hypothetical way we could turn what seems to be OpenControl's usual practices into a set of recommendations:
- The team that starts a project (or moves it into the OpenControl org) decides the license of that project, taking into consideration recommendations from OpenControl that are intended to help maximize reusability and interoperability. These recommendations could be something like:
- If 18F starts a project, 18F applies its standard dedication (US public domain + CC0 international), modified to add a standard patent non-assertion pledge. Other people contributing to that project agree to dedicate their contributions under that dedication.
- If another US federal government team starts a project, they should consider applying this 18F standard dedication to their work.
- If a non-government team starts a project, they should consider applying Apache v2 (or CC0 with a patent non-assertion pledge). US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.
- If any non-government team starts a little repository with just content or experiments, consider applying CC0 rather than having no license.
- If any team forks and adapts a project from somewhere else, carefully retain and comply with the license (and credit the original authors even if not required). Again, US federal government employee contributions (made as part of their work) would technically be public domain (since we can't hold copyright), but the whole work would be a joint work, so it could reasonably be treated as the overarching license.
from discuss.
I made a quick list of license statuses for repositories in this org, to help us think about this:
US public domain + CC0 internationally
- https://github.com/opencontrol/fedramp-templater
- https://github.com/opencontrol/compliance-masonry
- https://github.com/opencontrol/doc-template
- https://github.com/opencontrol/schemas
- https://github.com/opencontrol/discuss
- https://github.com/opencontrol/compliance-masonry-go
- https://github.com/opencontrol/OpenControl-YAML-editor
US public domain + Apache v2 internationally
AGPL + additions that are US public domain and CC0 internationally
Apache v2
- https://github.com/opencontrol/toscaviewer
- https://github.com/opencontrol/yaml-to-markdown-task
- https://github.com/opencontrol/concourse-spruce-task
- https://github.com/opencontrol/concourse-gitbook-task
CC0
CC0 but file is slightly confusingly labeled Apache v2
No license
- https://github.com/opencontrol/freedonia-compliance
- https://github.com/opencontrol/freedonia-frist
- https://github.com/opencontrol/freedonia-aws-compliance
- https://github.com/opencontrol/freedonia-policies
- https://github.com/opencontrol/aws-compliance
- https://github.com/opencontrol/cf-compliance
- https://github.com/opencontrol/nvd-cve-resource
- https://github.com/opencontrol/sctools
- https://github.com/opencontrol/NIST-800-53-Standards
- https://github.com/opencontrol/FedRAMP-Certifications
- https://github.com/opencontrol/example-pipelines
- https://github.com/opencontrol/components
- https://github.com/opencontrol/certifications
from discuss.
Any non-18F folks have strong feelings about this?
from discuss.
@gregelin ^^ thoughts?
from discuss.
@pburkholder @afeld This gets to the governance question. Seems reasonable that any repo that is part of OpenControl must have an open source license.
At moment, I don't have strong opinion regarding requiring a particular open source license. I'm OK with @brittag's recommendations. Happy to add a general/permissive open source license to what GovReady contributes.
from discuss.
Not sure if this should be a tag on this issue (seems like it) or a new one, but the OpenControl fork of my xccdf-tsv tool (mine: https://github.com/adamcrosby/xccdf2tsv OC: https://github.com/opencontrol/xccdf2csv) was updated to include a CC0 license attribution, which is in violation of the terms in the original content (CC-SA, which requires downstream to retain same license). My copyright header is still in the python file, and it says CC-SA, but the repo readme says the license is CC0.
from discuss.
Thanks @adamcrosby - good catch, that fork should have carried forward the license instead of changing it. Checking this, looks like your readme says by-sa but the Python file says by-nc-sa - should the fork carry forward that combination (so people would follow the more restrictive one by default)?
Pinging @JJediny (author of the post-fork commits) to fix this in the fork. :)
from discuss.
@brittag I'll update the original python in the repo to be less restrictive (by-SA is fine). Unsure how you'd like to move that change into the OpenControl repo (I can submit a PR against your repo if that's necessary, or I'm OK with @JJediny just making the edit in his update as well.
Thanks!
from discuss.
The FAQ page says the following:
The code portions are all licensed under Apache 2.0, except what has been contributed
directly by the US Government, which is in the public domain within the US. Internationally, the US Government licenses its code under Creative Commons Zero 1.0. All written content
has been licensed as Creative Commons Zero.
Suggest closing this issue as resolved.
from discuss.
Related Issues (20)
- introductions to security compliance? HOT 7
- OpenControl edit workflow for non-technical users? HOT 6
- Set of partials == complete? HOT 7
- Script to convert FedRAMP controls spreadsheet to opencontrols files HOT 2
- add new root repository: introduction - with examples HOT 1
- re-org of repositories with table of contents for all HOT 1
- Risk assessment schema: Extend to three question types and provide validation HOT 5
- Translation of RiskVision controls spreadsheet to opencontrol YAML HOT 4
- has anyone done textual analysis of SSPs, or tried automating feedback on them? HOT 15
- OpenControl template HOT 4
- public SSPs? HOT 9
- As someone who isn't able to sign up for accounts, I want to be able to follow / participate in OpenControl HOT 3
- Introduction to ATOs HOT 1
- Map Components to Multiple Certifications HOT 8
- listening for control changes HOT 5
- code for parsing SSPs? HOT 3
- FedRAMP Challenges HOT 6
- Starting OpenControl Virtual Meetings HOT 9
- OpenControl Agenda topics HOT 1
- Is OpenControl deprecated? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discuss.