re SPDX, I'll do the work, if you'll use the tag
I was tagged in to this list because of the discussion about SPDX license tagging. I sit on the SPDX committee (which doesn't mean much, it's similar to an IETF WG, in that anyone who joins the list, joins the calls, and then does needed work is "on the committee"). It may be useful to have an SPDX tag for the TZ database data files. The SPDX makes nearly zero legal assessment about a license. Applying an SPDX tag to an existing project is intended to document reality in a machine readable way, it is not intended to change reality. Having an SPDX tag is mostly for the benefit of systems and companies who are trying to be scrupulously correct when complying with open source licenses. When the SPDX evaluates a license, the things looked for are "does/will it have real users?", "does it have a stable enough text that the matching tools can correctly identify it?", and "is it for content intended for mostly uncontrolled distribution?". We very much do not get into all the arguments about "is this well defined in europe", "is this a license or a public domain declaration", "is copyright even appropriate", "copyleft is theft", etc etc etc. We don't practice law, and we don't want to dictate policy, we just id licenses for people who just want to know they are doing the right thing when using your files, and make suggestions for projects that want to write a policy about it. Looking at the TZ database history, it has a very long history with lots of contributors, its mostly just a collection of facts, it appears to be a public domain declaration, that started out kind of adhoc. Using one of the existing PD declarations in the SPDX database would not be appropriate, because of the need to get the past contributors to assent, lots of work for no value. What does make sense is creating a new tag, something like "TZ-PD". Then you can start putting "# SDPX-License-Identifier: TZ-PD" in your database text source file, and make life easier for a bunch of people who just want to do the right thing with your data. To repeat, adding that SPDX license tag of a new identifer to id an existing stable in the field declaration, like this, does not change any legal obligations or expose anyone to any new legal risks. It's just a machine readable way of saying what's already been said about the copyright status of the TZ database. So, I'm willing to volunteer to do that lift for the TZ community, if you are willing to use the resulting id tag. What say you? ..m Mark Atwood <mark.atwood@gmail.com> https://keybase.io/fallenpegasus +1-206-604-2198
On 6/29/20 11:51 AM, Mark Atwood wrote:
What does make sense is creating a new tag, something like "TZ-PD". Then you can start putting "# SDPX-License-Identifier: TZ-PD" in your database text source file, and make life easier for a bunch of people who just want to do the right thing with your data.
I guess I'm not seeing why a one-off tag like this would make compliance checking significantly easier. No other project is likely to use the TZ-PD tag, so data consumers doing compliance checking would need to crosscheck "TZ-PD" to see what it really means, which would require looking at tzdb's LICENSE file and/or development history (like you did) to make up their own minds. So for the tzdb project, the SPDX label seems to be an extra bureaucratic step that provides little or no benefit. Anyway, a more-important obstacle is the legal concern expressed in <https://mm.icann.org/pipermail/tz/2020-June/029122.html>. I'm not reassured by the comment "Applying an SPDX tag ... is not intended to change reality." If tzdb comes with a statement that a particular tag applies to tzdb, then consumers would plausibly rely on that statement, and that would be a change to reality that could well have legal effect. (Besides, Occam's razor applies here: doing nothing is the simplest way to not change reality. :-) One possible way out of the legal impasse might be for you to maintain a tzdb release downstream (let's call it "tzdb-spdx") that has the SPDX tags, and for companies to use tzdb-spdx releases instead of the upstream tzdb releases. That way, these companies could rely on you to bear any extra legal liability that would come from attaching the SPDX tags. Before taking such a step, though, I suggest consulting a lawyer with some expertise in the area.
Date: Mon, 29 Jun 2020 11:51:06 -0700 From: "Mark Atwood" <mark.atwood@gmail.com> Message-ID: <25a51bf5-22c1-425d-90c6-1b86cc8f977d@www.fastmail.com> | Looking at the TZ database history, If we're just considering tzdata... | it has a very long history with lots of contributors, | its mostly just a collection of facts, There are two aspects, the data itself, and the form in which it is presented. The data is just facts, and it makes no sense to license any of that (in any way at all) or to apply anything to indicate that status. If I were to tell you that today is Tuesday, and consequently tomorrow is Wednesday, would I also need to issue you some kind of licence (however identified) before you could use that information? The very concept is absurd. On the other hand, the form in which it is presented could very likely be subject to copyright, and could be protected - but for that there are only a small number of authors (perhaps really just one or two) - most of the contributors simply state facts, which are then converted into the appropriate form - and those who don't could just as easily be considered to be breaching copyright (were any asserted) by copying the form to use rather than owning any rights to that form themselves, kind of like making a copy of a form and filling it in, assuming the information supplied is not subject to copyright, then the fact that it is on a form that is means nothing as far as the person filling in the form is concerned (but they could have breached the copyright owner's rights when they copied the form). So: because of the need to get the past contributors to assent, for tzdata that is not a real issue, there are actually only a small number, and those have already indicated assent by placing the "public domain" notice in the files in the first place - but can easily be asked again. What matters more, though to less people, is tzcode, that is all copyrightable (but all intended to be available to anyone, for free, no restrictions at all, no responsibility at all) and does have a much larger number of actual contributors of code that could be subject tp copyrights (but all being donated to the project). kre
* Robert Elz:
There are two aspects, the data itself, and the form in which it is presented. The data is just facts, and it makes no sense to license any of that (in any way at all) or to apply anything to indicate that status.
Some jurisdictions recognize copyright-like protections for databases and database works. For absolute clarity, ICANN (and other parties who might be entitlted to them) could state that it does not intend to claim such rights. A PD declaration on the data could be seen as sufficient. Thanks, Florian
účastníci (4)
-
Florian Weimer -
Mark Atwood -
Paul Eggert -
Robert Elz