On 7/25/17 5:14 PM, Shawn Wells wrote: > > > On 7/22/17 2:46 AM, Philippe Thierry wrote: >> Le 22/07/2017 à 05:48, Shawn Wells a écrit : >> >>> Personally I've no idea how to handle this, so I asked members of Red >>> Hat's legal team for help. >>> >>> Also sent a note requesting feedback from other Red Hat members who >>> work on international FOSS projects on how they've handled this. Will >>> report back. >>> >> Ok. Thank you for that ! > > Turns out Red Hat has an open source legal affairs team, chartered > with helping projects tackle issues like this. Have connected with > them -- but nothing to report back yet.
Comments from that team: > Shawn, there are a lot of potential approaches here, but one I'd recommend is > what DoD code.mil is doing. See: > https://github.com/deptofdefense/code.mil > > The idea is basically this: A project will generally start out with public > domain code in the US (to the extent it has been created by federal civil > servants). But the project will designate a true open source license at the > outset, such as GPLv3 or the Apache License 2.0 or what have you, and the > project will use the Developer Certificate of Origin with the understanding > that non-civil-servant contributors are agreeing to license in their > contributions under the designated open source license. Over time the project > becomes a mix of (a) federal civil servant code that is public domain in the > US, (b) federal civil servant code that is under the designated project > license outside the US, and (c) code from other contributors that is under > the designated project license. > > As further explanation, note that the statement that US government employees > "cannot hold intellectual property" is not correct. What is true is that in > the US Copyright Act, works by federal civil servants in the scope of > employment are outside the scope of copyright - i.e., public domain. However, > it is generally agreed that this has no applicability to works published > outside the US. Software today is generally published simultaneously in > multiple jurisdictions (for example, the SCAP Security Guide, by being > published on GitHub, is published internationally in multiple countries). > > I have a contact who is a lawyer for the code.mil people who may be able to > help if there is interest in this approach. Still reading/learning about the code.mil process, but it looks like it'll really help contributions from the non-US community. This gives US Gov employees/contractors what they need for Public Domain protections, and non-US Gov people can follow an agreed license like MIT/GPL etc. Added bonus: This might also be a way to solve a long-standing gripe about certain vendors using the SSG content without attribution. Philippe: Can you review the code.mil process? https://github.com/deptofdefense/code.mil IIRC: 1) We add https://github.com/deptofdefense/code.mil/blob/master/Proposal/INTENT.md 2) CONTRIBUTING gets updated to look like this: https://github.com/deptofdefense/code.mil/blob/master/Proposal/CONTRIBUTING.md 3) CONTRIBUTORS.md gets updated to look like this: https://github.com/deptofdefense/code.mil/blob/master/Proposal/CONTRIBUTORS.md 3) We pick a new license that best serves the community
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
