[tz] Use or Apply for SPDX Licence

Sun Jun 21 15:26:01 UTC 2020

On 2020-06-20 15:02, Paul Eggert wrote:
> On 6/20/20 1:45 PM, Paul.Koning at dell.com wrote:
>> Why is anything needed here?
> 
> I guess it's for some sort of packaging software that wants to see a LICENSE
> file containing a bunch of strings like "CC-PDDC" and "BSD-3-Clause". Or maybe
> these strings would need to be in every source file? It's not clear.

See https://spdx.dev/about/

"The Software Package Data Exchange® (SPDX®) specification is a standard format
for communicating the components, licenses and copyrights associated with
software packages.

The SPDX standard helps facilitate compliance with free and open source software
licenses by standardizing the way license information is shared across the
software supply chain. SPDX reduces redundant work by providing a common format
for companies and communities to share important data about software licenses
and copyrights, thereby streamlining and improving compliance.

The SPDX specification is developed by the SPDX workgroup, which is hosted by
the Linux Foundation. The grass-roots effort includes representatives from more
than 20 organizations—software, systems and tool vendors, foundations and
systems integrators—all committed to creating a standard for software package
data exchange formats."

also
https://wiki.spdx.org/view/Legal_Team/Decisions/Dealing_with_Public_Domain_within_SPDX_Files

"The rules around “Public Domain” often vary or are unspecified jurisdiction to
jurisdiction. Adding to the confusion, some jurisdictions may not even recognize
the concept of “Public Domain” (or similar). As such, a license may nevertheless
be required or implied in these cases. Even in the U.S., there is no clear,
officially-sanctioned procedure for affirmatively placing copyright-eligible
works into the “Public Domain” aside from natural statutory expiration of
copyright. The bottom-line is, there are few if any objective, brightline rules
for proactively placing copyright-eligible works into the Public Domain that we
can broadly rely on."

Public domain is not a legal concept in many countries outside the U.S., may not
be recognized in some countries, is not a licence, conveys no rights, or may
require payment of fees to the state or authors' societies (in Africa and South
America, some of which have abolished them; recently proposed by Germany for
Europe); see:
	https://en.wikipedia.org/wiki/Paying_public_domain
[OT: I'm surprised more countries do not, although a number do have a private
copying levy or royalty on sales of blank media and/or recording equipment (in
some places, any device containing memory), as some percentage is deemed to be
sold for use to copy published works; see
	https://en.wikipedia.org/wiki/Private_copying_levy
]

Please consider the problems tz has using the definitive and timely IERS
leap-seconds.list, due to lack of any explicit licence, having to wait until
NIST generates their derivative release, as that is a US government derived
product in the public domain.

> It would be helpful to know more details. What is the packaging software? How
> does that software work with tzdb now? Why would the change (whatever it is)
> save everybody time?

SPDX is under the Linux Foundation, and Linux has now been plastered with SPDX
labels in all source files, and other projects are adding them, to reduce the
effort of replying to compliance/risk management and other queries from supply
chain managers: keeping product acquisition staff busy working from home.

> If the IETF has a task force on this topic, perhaps we should wait for it to
> come to a conclusion before worrying about the issue.

See:

https://trustee.ietf.org/trust-legal-provisions.html
https://trustee.ietf.org/license-info/IETF-TLP-5.htm
https://trustee.ietf.org/copyright-faq.html
https://tools.ietf.org/html/rfc5377
https://tools.ietf.org/html/rfc5378

and normative and informative references included therein.

It appears from these documents that the IETF legal team (so far) have a narrow
focus on IETF documents and U.S. Copyright law, and fail to address the
situation elsewhere, beyond acknowledging consideration of the Berne convention.

FAQ 1.11 "No license is needed to use or modify public domain documents.
However, given the complexity of determining whether or not a particular
document is in the public domain, the IETF Trust does not seek to differentiate
between public domain and non-public domain documents. Thus, the same assurances
are requested, and the same licenses are granted, for all documents. In the case
of public domain documents, however, your rights may be greater than those
granted under the IETF Trust’s outbound license."

That applies only in the U.S. and not the parts of the rest of the world where
PD is unrecognized.
Kim Davies said only that SPDX tagging would be taken into consideration by the
IETF, not that licensing of PD content would be treated any differently to other
IETF content, and whether tz content may be considered IETF content (under BSD
simplified), handled under an alternate stream, or considered independent, so
not considered by the IETF (I'd bet on this option).

It would useful to know where information about this topic by the IETF is being
posted, as:

	https://mailarchive.ietf.org/arch/browse/tlp-interest/

shows no (relevant) activity since 2015.

As there are concerns about IERS leap-seconds.list on this list, European and
other country product compliance/risk management/supply chain staff have
concerns about tz content.

So list members involved in such concerns may want to make those known.

And it is normally better to get ahead of the requests, before product
compliance/risk management/supply chain folks work their way down to emailing
this list.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]