Hi Anna,
Welcome!
You have interpreted the CC0-1.0 designation and comment regarding
confidentiality correctly. (Note, it is now section 6.2 in version 2.3
of the spec:
https://spdx.github.io/spdx-spec/v2.3/document-creation-information/ )
There was much discussion on this in the very, very early days of SPDX
which probably can be found in early email archives or meeting minutes.
I haven't dug around, but from my memory of those discussion: The vision
of SPDX is "to reduce redundant work by providing common formats for
organizations and communities to share important data, thereby
streamlining and improving compliance, security, and dependability."
This was born out of the reality of various entities asking for and
passing around software bill of materials information in different
format, often not sharing that information upstream or downstream. The
ultimate ideal scenario would be if SPDX documents accompanied software
throughout the supply chain. It was important that the standard be open,
but also that people could not create an SPDX document and then assert
some rights or control upon that information. Thus, CC0-1.0 and the
accompanying explanation was chosen to alleviate that concern and signal
the desire of an open exchange of this information. At the same time, we
wanted to recognize the reality that some entities may feel that the
information contained in an SPDX document could expose confidential
information and thus may not want everything to be openly available.
Not sure if there's something to discuss here, but happy to have you
join any and all of the SPDX legal calls!
Cheers,
Jilayne
On 10/26/22 8:26 AM, Haipola, Anna (Nokia - FI/Espoo) wrote:
Hi all,
I have recently joined the SPDX legal mailing list and wanted to give
a short introduction. My name is Anna Haipola and I am a Legal Counsel
supporting the Open Source Program Office at Nokia. I am based in
Espoo, Finland. I attended my first external event related to open
source software last week at the OSPOlogy.live workshop in Stockholm,
and it was truly inspiring to meet professionals working with the same
topics in other organizations. I look forward to more collaboration.
The reason why I wanted to get in touch with the SPDX legal team was
that I had a question related to the section 2.2.2 of the SPDX
Specification (version 2.2). SPDX-Metadata is subject to the terms of
the Creative Commons CC0 1.0 Universal license. Section 2.2.2 further
states: “This approach
avoids intellectual property and related restrictions over the SPDX
file, however individuals can still contract with each other to
restrict release of specific collections of SPDX files (which map to
software bill of materials) and the identification of the supplier of
SPDX files.”
I was unsure whether this meant that even though the data related to
the SPDX fields can be distributed freely under CC0, collections of
SPDX files could be protected under confidentiality clauses agreed
upon between the SPDX document creator and the recipient. I would be
happy to discuss this matter in one of the upcoming Legal Team
meetings. I will be joining tomorrow’s meeting, so happy to provide
some more details on this proposed agenda item there if there is time.
Looking forward to meeting you tomorrow.
Kind regards,
Anna Haipola
____________________________________________
*Anna Haipola*
Legal Counsel, TECH Legal
Nokia Technologies Oy
Nokia
At Nokia, we create technology that helps the world act together
CONFIDENTIALITY NOTICE
This e-mail and any attachments hereto may contain information that is
privileged or confidential,
and is intended for use only by the individual or entity to which it
is addressed. Any disclosure, copying or distribution
of the information by anyone else is strictly prohibited. If you have
received this document in error, please notify us
promptly by responding to this e-mail. Thank you.
Please consider the environment before printing this e-mail.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#3261): https://lists.spdx.org/g/Spdx-legal/message/3261
Mute This Topic: https://lists.spdx.org/mt/94582761/21656
Group Owner: spdx-legal+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-legal/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
