Add license files to public repositories

[larsks]

Our public repositories -- whether they're Python, Ansible playbooks, Kubernetes manifests, Documentation, etc -- should have clearly specified licenses associated with them.

We should select a license to be used by default for our content, and then ensure that public facing repositories include an appropriate LICENSE file.

[joachimweyl]

most likely going with Apache 2.0 License. we need to run it by Orran.

[msdisme]

query with OGC

[msdisme]

Concern raised by OGC (section 7, I think) apache.org 2.0 license that we will need to have contributors sign:
ICLA: Individual Contributor License Agreement
CCLA: Corporate Contributor License Agreement
to confirm that they have the right for the contribution.

We used to do this based on OpenStack but have fallen out of the habit. Do we want to consider alternate license options?

[larsks]

https://meshedinsights.com/2016/01/07/apache-license-yes-apache-cla-no/ is an interesting read on the topic of the Apache license. Of particular note:

If you are really worried about certification of origin, use the signed-off-by process using a Developer Certificate of Origin. At all costs avoid signed contributor agreements of any kind if you want broad participation. Certainly don’t demand copyright assignments – they are the ultimate community-chilling act, signalling that you need exclusive proprietary rights that are denied your contributors. But also don’t copy Apache’s ICLA/CCLA as that was not their intent when they devised them. In fact, even Jacob tells me he’d probably emulate the signed-off-by process if he was starting afresh today. You are not the same special case as Apache and neither deserve nor will be granted the same grace.

[msdisme]

link to signed-off-by process above is broken (no idea why, since it is the same as what I played below) - I think this is what it is meant to point at: https://ltsi.linuxfoundation.org/software/signed-off-process/

[msdisme]

query about signed-off-by with OGC

[msdisme]

From: Huang, Lilly <lohuang@bu.edu>
Date: Monday, July 18, 2022 at 11:48 AM
To: Daitzman, Michael S <msd@bu.edu>
Subject: RE: Apache 2.0 license for MOC Alliance repositories

Hi Michael,

Yes – I’m comfortable with the Apache 2.0 license along with the signed-off-by language/process described by the Linux Foundation.

As we discussed, if you expect users to download and use each other’s contributions, I would recommend that we add in the general user agreement that all code/patch is being provided as is without any warranties whatsoever. Let me know if I can help with this.

Thanks,
Lilly

[larsks]

FWIW, the Apache license includes:

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

[larsks]

Based on the discussion here, there is now more to this task than just adding a license file.

Minimally, we will also need to add a CONTRIBUTORS file that details the contribution process, including the signed-off-by requirement, and that includes (or links to) some sort of developer certificate of origin.

[msdisme]

yep - seems like a tool like this: https://github.com/CLAassistant might be helpful?

[larsks]

@msdisme are you sure that's the link you meant to post? That goes to an empty organization with a single empty repository.

In any case, my previous comment wasn't about tooling; it was about the need for documentation -- both in our repositories and potentially on the MOC website.

[msdisme]

closing as now addressed by epic: signed-off-by language/process for licenses on MOC A repositories. Next time will try convert issue to epic option.