Hello project, I would like to raise for open discussion the rpm spec copyright headers. Let's use the following as an entry example to see if we can find an general opinion or solution. This should not be considered escalation on the SR. systemd maintainer Franck declined my SR#1232931 [1] for boo#1234765 [2] with the following note:
Thanks. Can you please resubmit without changing the copyright ?
Allow me to lay out the following thoughts: openSUSE packages are licensed and distributed under an OSI approved license. Changes to the package by another party create derivative works. That copyright is not owned exclusively by the original creator, the part that the contributor added is owned by them. Or, verbatim from the standard header:
# All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon.
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim .spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved. My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS. We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company? The following points may need to be part of the discussion: Should spec-cleaner/format_spec_file have a mode, default, for non-SUSE contributors? Specifically, do not add the SUSE LLC copyright or update it's year unless the contribution is done on behalf of SUSE LLC. There may be a triviality limit for what constitutes a copyrightable contribution to an rpm spec, given that many constructs are trivial, tool generated, or copied from another package, distribution, or the wiki. There may be bit of a stylistic problem of proliferation of copyright lines. Changing/removal of any lines not your own should be avoided. The spec header refers to the license of the upstream package. Upstream packages are known to change licenses. That means that in these cases the license of the spec file changes, but the copyright holder can do that. And in the case of a community contribution, that is not "SUSE LLC" exclusively. Re-licensing this is different from creating a derivative work under a compatible FLOSS license. Finally, I do not want to leave you without a specific proposal. Here it is:
# Copyright (C) YEAR openSUSE project and contributors, see package changelog.
Not the best idea, but one that includes the outside contributors. Happy to discuss, Andreas [1] https://build.opensuse.org/request/show/1232931 [2] https://bugzilla.opensuse.org/show_bug.cgi?id=1234765
Hi,
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim .spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved.
My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS.
We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company?
SUSE LLC being listed as sole copyright holder is one point stopping me from actively contributing or largely promoting openSUSE distributions (in addition to the project's insistance in promoting Google and Microsoft platforms). Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen. -nik
Gesendet: Montag, den 23.12.2024 um 12:21 Uhr Von: "Dominik George" <nik@naturalnet.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers
Hi Dominik, Thank you for your Feedback!
Hi,
SUSE LLC being listed as sole copyright holder is one point stopping me from actively contributing or largely promoting openSUSE distributions (in addition to the project's insistance in promoting Google and Microsoft platforms).
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
Have you got the special legal reference for that? Best regards, Sarah
-nik
On 2024-12-24 13:03, Sarah Julia Kriesch wrote:
Gesendet: Montag, den 23.12.2024 um 12:21 Uhr Von: "Dominik George" <nik@naturalnet.de>
[...] Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
Have you got the special legal reference for that?
I believe that this refers to § 7 UrhG and the related commentary, requiring a natural person, not a legal entity. Since our work happens on "the internet", that particular discussion may be a side show. Andreas
some clarifications On 23/12/2024 11:21, Dominik George wrote:
Hi,
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim .spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved.
My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS.
We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company? SUSE LLC being listed as sole copyright holder is one point stopping me from actively contributing or largely promoting openSUSE distributions (in addition to the project's insistance in promoting Google and Microsoft platforms).
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
-nik
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.) A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights. Having said that, yes, to transfer the copyright to /anyone - /without the permission of the original author, is mostly likely illegal. I say mostly, because it might be transferred in the case of bankruptcy of the owner because it is an asset. In any case it depends on agreements that have been reached. One thing to be aware of though, is that assigning copyright/patents/trademarks to "openSUSE" is pointless because at the moment, "openSUSE" is neither a person or a company/organisation. It is simply a trademark of SUSE, and has no legal status. This is why the Geeko Foundation exists - to provide a legal entity for the community to rally behind. Obviously a macro assigning a copyright to a third party is... questionable, unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder") Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;) /p -- <br/> <b>Patrick Fitzgerald</b>
Hello, Am Freitag, 27. Dezember 2024, 17:54 schrieb Patrick Fitzgerald:
On 23/12/2024 11:21, Dominik George wrote:
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.)
Sorry to disappoint you, but it's not that easy - different countries have different copyright laws. The german Urheberrecht (roughly translated: author's right or creator's right) has exactly one way to transfer the Urheberrecht. Sorry if it sounds harsh (and it's not meant personal ;-) - you have to die. See https://en.wikipedia.org/wiki/Copyright_law_of_Germany (especially the "Transfer" section) for a more verbose version (the german wikipedia page is more detailed, but the english one is probably good enough to get an overview). You can of course license your work to someone else, including an exclusive license, for example for your employer. However, even with an exclusive license, some rights remain with the original author.
A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights.
Yes, but - as I understand it - a company can NOT hold the german Urheberrecht because that's bound to a person (or that person's inheritor).
Obviously a macro assigning a copyright to a third party is... questionable,
I'm quite sure copyright laws around the world have stronger words for that. (No, I did not read these laws, and IANAL.) Needless to say that the german Urheberrecht (and probably also international copyright laws) contain some penalties for copyright violations - for some cases they even offer a nice place in a jail.
unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder")
That would be a CLA (Contributor License Agreement), and lots of companies have been bashed for forcing contributors to sign it. Basically the only thing CLAs are good for is to scare away possible contributors. That said - (luckily) we don't have such a CLA checkbox in OBS, which means SUSE has no right to add its copyright on packages no SUSE employee ever touched. To make things even worse: IIRC [1] the diff shown during osc commit does not show the addition or update of the SUSE copyright. Instead, this gets done behind my back. Still, "of course" if I look at the version history in OBS, it looks like it was part of my commit.
Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;)
This is a "solution" for a totally different problem - for a problem we don't have. It's not even a solution for the "partially accepted SR" (aka copy & paste from the original SR) that lead to this discussion. That said, and just as an idea - let's call it, hmm... $package.changes? No need for a blockchain. Regards, Christian Boltz [1] It's been a while since I noticed that, so I'm not 100% sure if it's still valid. I have package update on my TODO list which I'll delay for a few days so that I can see if the SUSE copyright gets updated to 2025, and if the diff shown by osc commit shows the change. -- After a little bit of thinking* [...] * yes, I do it sometimes and yes, it usually hurts and leads to bad stuff, I'll try not to do it again [Jos Poortvliet in opensuse-factory]
Hi Patrick, Thanks for your perspective! But do you really want to break (German) laws, because the Geeko Foundation is not ready? Björn has referenced the same as I have learned in AMOS (Agile Methods & Open Source) at the university. There are SPDX headers available. That has been established as a standard for open source projects. This is a good example[0], how a good Copyright can look like: # Copyright [year file created] - [last year file modified], [project founder] and the [project name] contributors # SPDX-License-Identifier: [SPDX license expression] Alternatively we can use something equal to that (based on our Commits): SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 PackageName: Foo PackageOriginator: David A. Wheeler PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/ PackageLicenseDeclared: MIT That is matching also the requirements of the German Urheberrechtgesetzes. But I have to agree, that OBS should not remove the names of the Authors. And no Blockchain can help here. If required, I can translate also the special law to English for you. I am also surprised about SUSE LLC in the Copyright instead of SUSE Software Solutions GmbH. I know SUSE as a (former) German company. Best regards, Sarah [0] https://github.com/david-a-wheeler/spdx-tutorial/blob/master/README.md
Gesendet: Freitag, 27. Dezember 2024 um 23:20 Von: "Christian Boltz" <opensuse@cboltz.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers
Hello,
Am Freitag, 27. Dezember 2024, 17:54 schrieb Patrick Fitzgerald:
On 23/12/2024 11:21, Dominik George wrote:
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.)
Sorry to disappoint you, but it's not that easy - different countries have different copyright laws.
The german Urheberrecht (roughly translated: author's right or creator's right) has exactly one way to transfer the Urheberrecht. Sorry if it sounds harsh (and it's not meant personal ;-) - you have to die.
See https://en.wikipedia.org/wiki/Copyright_law_of_Germany (especially the "Transfer" section) for a more verbose version (the german wikipedia page is more detailed, but the english one is probably good enough to get an overview).
You can of course license your work to someone else, including an exclusive license, for example for your employer. However, even with an exclusive license, some rights remain with the original author.
A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights.
Yes, but - as I understand it - a company can NOT hold the german Urheberrecht because that's bound to a person (or that person's inheritor).
Obviously a macro assigning a copyright to a third party is... questionable,
I'm quite sure copyright laws around the world have stronger words for that. (No, I did not read these laws, and IANAL.)
Needless to say that the german Urheberrecht (and probably also international copyright laws) contain some penalties for copyright violations - for some cases they even offer a nice place in a jail.
unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder")
That would be a CLA (Contributor License Agreement), and lots of companies have been bashed for forcing contributors to sign it. Basically the only thing CLAs are good for is to scare away possible contributors.
That said - (luckily) we don't have such a CLA checkbox in OBS, which means SUSE has no right to add its copyright on packages no SUSE employee ever touched.
To make things even worse:
IIRC [1] the diff shown during osc commit does not show the addition or update of the SUSE copyright. Instead, this gets done behind my back. Still, "of course" if I look at the version history in OBS, it looks like it was part of my commit.
Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;)
This is a "solution" for a totally different problem - for a problem we don't have.
It's not even a solution for the "partially accepted SR" (aka copy & paste from the original SR) that lead to this discussion.
That said, and just as an idea - let's call it, hmm... $package.changes?
No need for a blockchain.
Regards,
Christian Boltz
[1] It's been a while since I noticed that, so I'm not 100% sure if it's still valid. I have package update on my TODO list which I'll delay for a few days so that I can see if the SUSE copyright gets updated to 2025, and if the diff shown by osc commit shows the change.
-- After a little bit of thinking* [...] * yes, I do it sometimes and yes, it usually hurts and leads to bad stuff, I'll try not to do it again [Jos Poortvliet in opensuse-factory]
On 29/12/2024 17:34, Sarah Julia Kriesch wrote: Hi Patrick, Thanks for your perspective! But do you really want to break (German) laws, because the Geeko Foundation is not ready? er, no? that wasn't my point - my point was that it depends you have the agreements that one might have with an employer. If you are employed by SUSE, or any other company) it is highly likely that your contract contains a clause that assigns or co-assigns copyright of any works to them. I could be wrong though. Björn has referenced the same as I have learned in AMOS (Agile Methods & Open Source) at the university. There are SPDX headers available. That has been established as a standard for open source projects. This is a good example[0], how a good Copyright can look like: # Copyright [year file created] - [last year file modified], [project founder] and the [project name] contributors # SPDX-License-Identifier: [SPDX license expression] Alternatively we can use something equal to that (based on our Commits): SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 PackageName: Foo PackageOriginator: David A. Wheeler PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/ PackageLicenseDeclared: MIT That is matching also the requirements of the German Urheberrechtgesetzes. But I have to agree, that OBS should not remove the names of the Authors. sounds good! And no Blockchain can help here. I was musing on that simply because it's immune to rogue actors changing authorship / copyright, and would be a great way to audit code. Nothing more. If required, I can translate also the special law to English for you. No need - I am aware of the important parts. I am also surprised about SUSE LLC in the Copyright instead of SUSE Software Solutions GmbH. I know SUSE as a (former) German company. Yes, that is interesting. That's the US based entity. The controlling entity (SUSE SA) is based in Luxembourg. SUSE GmbH still exists. Would be interesting to know why it's assigned to the US...? Best regards, Sarah I just had a thought. If it's only the spec files in question, if could be argued that they are essential for the smooth build of a SUSE/openSUSE solution, and therefore ONLY the spec file is covered? After all, the SUSE header does say: # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. Thoughts? [0] https://github.com/david-a-wheeler/spdx-tutorial/blob/master/README.md Gesendet: Freitag, 27. Dezember 2024 um 23:20 Von: "Christian Boltz" <opensuse@cboltz.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers Hello, Am Freitag, 27. Dezember 2024, 17:54 schrieb Patrick Fitzgerald: On 23/12/2024 11:21, Dominik George wrote: Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen. I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.) Sorry to disappoint you, but it's not that easy - different countries have different copyright laws. The german Urheberrecht (roughly translated: author's right or creator's right) has exactly one way to transfer the Urheberrecht. Sorry if it sounds harsh (and it's not meant personal ;-) - you have to die. See https://en.wikipedia.org/wiki/Copyright_law_of_Germany (especially the "Transfer" section) for a more verbose version (the german wikipedia page is more detailed, but the english one is probably good enough to get an overview). You can of course license your work to someone else, including an exclusive license, for example for your employer. However, even with an exclusive license, some rights remain with the original author. A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights. Yes, but - as I understand it - a company can NOT hold the german Urheberrecht because that's bound to a person (or that person's inheritor). Obviously a macro assigning a copyright to a third party is... questionable, I'm quite sure copyright laws around the world have stronger words for that. (No, I did not read these laws, and IANAL.) Needless to say that the german Urheberrecht (and probably also international copyright laws) contain some penalties for copyright violations - for some cases they even offer a nice place in a jail. unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder") That would be a CLA (Contributor License Agreement), and lots of companies have been bashed for forcing contributors to sign it. Basically the only thing CLAs are good for is to scare away possible contributors. That said - (luckily) we don't have such a CLA checkbox in OBS, which means SUSE has no right to add its copyright on packages no SUSE employee ever touched. To make things even worse: IIRC [1] the diff shown during osc commit does not show the addition or update of the SUSE copyright. Instead, this gets done behind my back. Still, "of course" if I look at the version history in OBS, it looks like it was part of my commit. Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;) This is a "solution" for a totally different problem - for a problem we don't have. It's not even a solution for the "partially accepted SR" (aka copy & paste from the original SR) that lead to this discussion. That said, and just as an idea - let's call it, hmm... $package.changes? No need for a blockchain. Regards, Christian Boltz [1] It's been a while since I noticed that, so I'm not 100% sure if it's still valid. I have package update on my TODO list which I'll delay for a few days so that I can see if the SUSE copyright gets updated to 2025, and if the diff shown by osc commit shows the change. -- After a little bit of thinking* [...] * yes, I do it sometimes and yes, it usually hurts and leads to bad stuff, I'll try not to do it again [Jos Poortvliet in opensuse-factory]
Hey, Please fix the text part of your message the quoting is entirely broken on that one and even on the HTML part it was hard to follow. Please quote standard conform using >. I might reply to some parts of your mail wrong as it is very hard to follow back where the content was. "Patrick Fitzgerald" <patrickf@i-layer.com> writes:
On 29/12/2024 17:34, Sarah Julia Kriesch wrote:
Hi Patrick,
Thanks for your perspective! But do you really want to break (German) laws, because the Geeko Foundation is not ready?
er, no? that wasn't my point - my point was that it depends you have the agreements that one might have with an employer. If you are employed by SUSE, or any other company) it is highly likely that your contract contains a clause that assigns or co-assigns copyright of any works to them.
I could be wrong though.
Björn has referenced the same as I have learned in AMOS (Agile Methods & Open Source) at the university. There are SPDX headers available. That has been established as a standard for open source projects. This is a good example[0], how a good Copyright can look like: # Copyright [year file created] - [last year file modified], [project founder] and the [project name] contributors # SPDX-License-Identifier: [SPDX license expression]
Alternatively we can use something equal to that (based on our Commits): SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 PackageName: Foo PackageOriginator: David A. Wheeler PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/ PackageLicenseDeclared: MIT
That is matching also the requirements of the German Urheberrechtgesetzes. But I have to agree, that OBS should not remove the names of the Authors.
sounds good!
And no Blockchain can help here.
I was musing on that simply because it's immune to rogue actors changing authorship / copyright, and would be a great way to audit code. Nothing more.
If required, I can translate also the special law to English for you.
No need - I am aware of the important parts.
I am also surprised about SUSE LLC in the Copyright instead of SUSE Software Solutions GmbH. I know SUSE as a (former) German company.
Yes, that is interesting. That's the US based entity. The controlling entity (SUSE SA) is based in Luxembourg. SUSE GmbH still exists. Would be interesting to know why it's assigned to the US...?
I assume because the US law may give the more rights to the coypright holder vs. the author. I'm also not sure if you can assign your copyright to someone else in Europe. As explained in quote message below.
Best regards, Sarah
I just had a thought. If it's only the spec files in question, if could be argued that they are essential for the smooth build of a SUSE/openSUSE solution, and therefore ONLY the spec file is covered? After all, the SUSE header does say:
# All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon.
Thoughts?
Sounds ok but each coypright holder who significantly contribute to the file has to be in the file. If not the suggestion is to vague.
[0] https://github.com/david-a-wheeler/spdx-tutorial/blob/master/README.md
Gesendet: Freitag, 27. Dezember 2024 um 23:20 Von: "Christian Boltz" <opensuse@cboltz.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers
Hello,
Am Freitag, 27. Dezember 2024, 17:54 schrieb Patrick Fitzgerald:
On 23/12/2024 11:21, Dominik George wrote:
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.)
Sorry to disappoint you, but it's not that easy - different countries have different copyright laws.
The german Urheberrecht (roughly translated: author's right or creator's right) has exactly one way to transfer the Urheberrecht. Sorry if it sounds harsh (and it's not meant personal ;-) - you have to die.
See https://en.wikipedia.org/wiki/Copyright_law_of_Germany (especially the "Transfer" section) for a more verbose version (the german wikipedia page is more detailed, but the english one is probably good enough to get an overview).
You can of course license your work to someone else, including an exclusive license, for example for your employer. However, even with an exclusive license, some rights remain with the original author.
A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights.
Yes, but - as I understand it - a company can NOT hold the german Urheberrecht because that's bound to a person (or that person's inheritor).
Obviously a macro assigning a copyright to a third party is... questionable,
I'm quite sure copyright laws around the world have stronger words for that. (No, I did not read these laws, and IANAL.)
Needless to say that the german Urheberrecht (and probably also international copyright laws) contain some penalties for copyright violations - for some cases they even offer a nice place in a jail.
unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder")
That would be a CLA (Contributor License Agreement), and lots of companies have been bashed for forcing contributors to sign it. Basically the only thing CLAs are good for is to scare away possible contributors.
That said - (luckily) we don't have such a CLA checkbox in OBS, which means SUSE has no right to add its copyright on packages no SUSE employee ever touched.
To make things even worse:
IIRC [1] the diff shown during osc commit does not show the addition or update of the SUSE copyright. Instead, this gets done behind my back. Still, "of course" if I look at the version history in OBS, it looks like it was part of my commit.
Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;)
This is a "solution" for a totally different problem - for a problem we don't have.
It's not even a solution for the "partially accepted SR" (aka copy & paste from the original SR) that lead to this discussion.
That said, and just as an idea - let's call it, hmm... $package.changes?
No need for a blockchain.
Regards,
Christian Boltz
[1] It's been a while since I noticed that, so I'm not 100% sure if it's still valid. I have package update on my TODO list which I'll delay for a few days so that I can see if the SUSE copyright gets updated to 2025, and if the diff shown by osc commit shows the change.
-- After a little bit of thinking* [...] * yes, I do it sometimes and yes, it usually hurts and leads to bad stuff, I'll try not to do it again [Jos Poortvliet in opensuse-factory]
Sarah Julia Kriesch <ada.lovelace@gmx.de> writes:
Hi Patrick,
Thanks for your perspective! But do you really want to break (German) laws, because the Geeko Foundation is not ready?
I really hope this whole Gecko foundation thing would not be so US centric..
Björn has referenced the same as I have learned in AMOS (Agile Methods & Open Source) at the university. There are SPDX headers available. That has been established as a standard for open source projects. This is a good example[0], how a good Copyright can look like: # Copyright [year file created] - [last year file modified], [project founder] and the [project name] contributors # SPDX-License-Identifier: [SPDX license expression]
Alternatively we can use something equal to that (based on our Commits): SPDXVersion: SPDX-2.1 DataLicense: CC0-1.0 PackageName: Foo PackageOriginator: David A. Wheeler PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/ PackageLicenseDeclared: MIT
AFAIK this is already inside the spec file as the license of package already uses SDPX-tags. I don't think we have to include redundant information in the spec file. The SPDX-tags for the copyright holder(s) of the file and the license it is on should be enough.
That is matching also the requirements of the German Urheberrechtgesetzes. But I have to agree, that OBS should not remove the names of the Authors. And no Blockchain can help here. If required, I can translate also the special law to English for you. I am also surprised about SUSE LLC in the Copyright instead of SUSE Software Solutions GmbH. I know SUSE as a (former) German company.
Following the earlier message it might not be possible to assign copyright in German copyright. The Fedaral Ministry of Justice in Germany has some translations of the German laws: https://www.gesetze-im-internet.de/Teilliste_translations.html
Best regards, Sarah
[0] https://github.com/david-a-wheeler/spdx-tutorial/blob/master/README.md
Gesendet: Freitag, 27. Dezember 2024 um 23:20 Von: "Christian Boltz" <opensuse@cboltz.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers
Hello,
Am Freitag, 27. Dezember 2024, 17:54 schrieb Patrick Fitzgerald:
On 23/12/2024 11:21, Dominik George wrote:
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.)
Sorry to disappoint you, but it's not that easy - different countries have different copyright laws.
The german Urheberrecht (roughly translated: author's right or creator's right) has exactly one way to transfer the Urheberrecht. Sorry if it sounds harsh (and it's not meant personal ;-) - you have to die.
See https://en.wikipedia.org/wiki/Copyright_law_of_Germany (especially the "Transfer" section) for a more verbose version (the german wikipedia page is more detailed, but the english one is probably good enough to get an overview).
You can of course license your work to someone else, including an exclusive license, for example for your employer. However, even with an exclusive license, some rights remain with the original author.
A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights.
Yes, but - as I understand it - a company can NOT hold the german Urheberrecht because that's bound to a person (or that person's inheritor).
Obviously a macro assigning a copyright to a third party is... questionable,
I'm quite sure copyright laws around the world have stronger words for that. (No, I did not read these laws, and IANAL.)
Needless to say that the german Urheberrecht (and probably also international copyright laws) contain some penalties for copyright violations - for some cases they even offer a nice place in a jail.
unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder")
That would be a CLA (Contributor License Agreement), and lots of companies have been bashed for forcing contributors to sign it. Basically the only thing CLAs are good for is to scare away possible contributors.
That said - (luckily) we don't have such a CLA checkbox in OBS, which means SUSE has no right to add its copyright on packages no SUSE employee ever touched.
To make things even worse:
IIRC [1] the diff shown during osc commit does not show the addition or update of the SUSE copyright. Instead, this gets done behind my back. Still, "of course" if I look at the version history in OBS, it looks like it was part of my commit.
Alternatively, moving from overwrite-able text files to recording copyright ownership, transfers and additions in a global public ledger makes sense. Just don't call it blockchain. ;)
This is a "solution" for a totally different problem - for a problem we don't have.
It's not even a solution for the "partially accepted SR" (aka copy & paste from the original SR) that lead to this discussion.
That said, and just as an idea - let's call it, hmm... $package.changes?
No need for a blockchain.
Regards,
Christian Boltz
[1] It's been a while since I noticed that, so I'm not 100% sure if it's still valid. I have package update on my TODO list which I'll delay for a few days so that I can see if the SUSE copyright gets updated to 2025, and if the diff shown by osc commit shows the change.
-- After a little bit of thinking* [...] * yes, I do it sometimes and yes, it usually hurts and leads to bad stuff, I'll try not to do it again [Jos Poortvliet in opensuse-factory]
Patrick Fitzgerald <patrickf@i-layer.com> writes:
some clarifications
On 23/12/2024 11:21, Dominik George wrote:
Hi,
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim .spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved.
My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS.
We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company? SUSE LLC being listed as sole copyright holder is one point stopping me from actively contributing or largely promoting openSUSE distributions (in addition to the project's insistance in promoting Google and Microsoft platforms).
Also keep in mind that copyright assignment to a company, or replacing copyright holders with a company name, is outright illegal if the original author is a German citizen.
-nik
I doubt that "outright illegal" is true.. It depends on the agreements made between the original author and others - including companies. For example if you are employed by a company then you may need to check your employment contract - it may stipulated there that copyrighted works are automatically assigned. (Look to any music company to see that kind of behaviour.)
A company/organisation possesses, legally speaking, the same rights as a person; they can be taxed, sued and bankrupted, so they can hold patents and copyrights.
Having said that, yes, to transfer the copyright to /anyone - /without the permission of the original author, is mostly likely illegal. I say mostly, because it might be transferred in the case of bankruptcy of the owner because it is an asset. In any case it depends on agreements that have been reached.
One thing to be aware of though, is that assigning copyright/patents/trademarks to "openSUSE" is pointless because at the moment, "openSUSE" is neither a person or a company/organisation. It is simply a trademark of SUSE, and has no legal status. This is why the Geeko Foundation exists - to provide a legal entity for the community to rally behind.
Note this view is IMHO quite Brit/US centric. As a German I don't feel a organization outside of Europe could represent me as a developer/user. In the context of copyright it is also not helpful that these are to centered towards the angloamerican world. What the name openSUSE means as a brand seems to be also much different outside of Europe, but that's off-topic.
Obviously a macro assigning a copyright to a third party is... questionable, unless there are is an agreement in place. (ie a checkbox on every build "by using OBS you agree to SUSE Inc being joint copyright holder")
IMHO this process should be manual. The format_spec service should not override copyright but warn if there's no copyright and point the developer towards the wikit to change accordingly. Don't automate something which is better done in a manual process, copyright is one of these things. For my self I don't care much. However I would prefer to assign the copyright to SUSE GmbH than SUSE LLC. If possible the license specifiers and file-copyright-text should use SPDX tags.
On Mon, Dec 23, 2024 at 4:16 AM Andreas Stieger <Andreas.Stieger@gmx.de> wrote:
Hello project,
I would like to raise for open discussion the rpm spec copyright headers. Let's use the following as an entry example to see if we can find an general opinion or solution. This should not be considered escalation on the SR.
systemd maintainer Franck declined my SR#1232931 [1] for boo#1234765 [2] with the following note:
Thanks. Can you please resubmit without changing the copyright ?
Allow me to lay out the following thoughts: openSUSE packages are licensed and distributed under an OSI approved license. Changes to the package by another party create derivative works. That copyright is not owned exclusively by the original creator, the part that the contributor added is owned by them. Or, verbatim from the standard header:
# All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon.
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim .spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved.
My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS.
We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company?
The following points may need to be part of the discussion:
Should spec-cleaner/format_spec_file have a mode, default, for non-SUSE contributors? Specifically, do not add the SUSE LLC copyright or update it's year unless the contribution is done on behalf of SUSE LLC.
There may be a triviality limit for what constitutes a copyrightable contribution to an rpm spec, given that many constructs are trivial, tool generated, or copied from another package, distribution, or the wiki.
There may be bit of a stylistic problem of proliferation of copyright lines. Changing/removal of any lines not your own should be avoided.
The spec header refers to the license of the upstream package. Upstream packages are known to change licenses. That means that in these cases the license of the spec file changes, but the copyright holder can do that. And in the case of a community contribution, that is not "SUSE LLC" exclusively. Re-licensing this is different from creating a derivative work under a compatible FLOSS license.
Finally, I do not want to leave you without a specific proposal. Here it is:
# Copyright (C) YEAR openSUSE project and contributors, see package changelog.
Not the best idea, but one that includes the outside contributors.
I completely agree about the situation with spec headers. When I wrote the openSUSE support for rust2rpm, I deliberately made it so that the copyright stanza used the output from "rpmdev-packager" by default, which ensured that this didn't happen. On my system, I ensure the format-spec and spec-cleaner OBS source services are not installed on my machine and I disallow source services running on check-in, because it would always add the SUSE copyright line. I would prefer to drop the year from the copyright stanza, since it has never been required, especially with packages that are maintained in version control. Copyright is automatic, the statements are principally informative, so the year isn't important. -- 真実はいつも一つ!/ Always, there's only one truth!
I totally agree. The compulsory copyright to SUSE don't make sense to me. Em 23/12/2024 08:16, Andreas Stieger escreveu:
Hello project,
I would like to raise for open discussion the rpm spec copyright headers. Let's use the following as an entry example to see if we can find an general opinion or solution. This should not be considered escalation on the SR.
systemd maintainer Franck declined my SR#1232931 [1] for boo#1234765 [2] with the following note:
Thanks. Can you please resubmit without changing the copyright ?
Allow me to lay out the following thoughts: openSUSE packages are licensed and distributed under an OSI approved license. Changes to the package by another party create derivative works. That copyright is not owned exclusively by the original creator, the part that the contributor added is owned by them. Or, verbatim from the standard header:
# All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon.
Many packages contain "Copyright (c) {{ year }} SUSE LLC" . The vim spec template, spec-cleaner and the corresponding source service update this regularly. They also update the copyright year to the current year unless the right parameters are passed, and even so if no people employed by SUSE LLC are involved.
My original packages contain my own copyright. As a contributor I am happy to license my works to anyone, including SUSE LLC, under an open source license. What I am not doing is assign exclusive ownership to SUSE LLC, neither for my original packages nor for my contributions. I believe this is in the spirit of FLOSS.
We should clarify the obvious: assigning exclusive copyright to SUSE LLC is not a requirement for contribution for openSUSE, the text makes that clear. But there is no single best way to reflect that, and who owns what, if "SUSE LLC" keeps getting added, automatically, at the top (!), while we reject contributors adding their own. You can reject such submissions, what what message are we sending to openSUSE contributors that are not bound to assign their work to the company?
The following points may need to be part of the discussion:
Should spec-cleaner/format_spec_file have a mode, default, for non-SUSE contributors? Specifically, do not add the SUSE LLC copyright or update it's year unless the contribution is done on behalf of SUSE LLC.
There may be a triviality limit for what constitutes a copyrightable contribution to an rpm spec, given that many constructs are trivial, tool generated, or copied from another package, distribution, or the wiki.
There may be bit of a stylistic problem of proliferation of copyright lines. Changing/removal of any lines not your own should be avoided.
The spec header refers to the license of the upstream package. Upstream packages are known to change licenses. That means that in these cases the license of the spec file changes, but the copyright holder can do that. And in the case of a community contribution, that is not "SUSE LLC" exclusively. Re-licensing this is different from creating a derivative work under a compatible FLOSS license.
Finally, I do not want to leave you without a specific proposal. Here it is:
# Copyright (C) YEAR openSUSE project and contributors, see package changelog.
Not the best idea, but one that includes the outside contributors.
Happy to discuss,
Andreas
On 2024-12-24 03:15, Heitor Moreira wrote:
The compulsory copyright to SUSE don't make sense to me.
The company does not actually require copyright assignment, and would not have standing to do so. But that also means that the SUSE LLC copyright line should not be handled special by tooling or when reviewing changes. Andreas
Gesendet: Dienstag, den 24.12.2024 um 12:32 Uhr Von: "Andreas Stieger" <Andreas.Stieger@gmx.de> An: project@lists.opensuse.org Betreff: Re: spec file copyright headers
On 2024-12-24 03:15, Heitor Moreira wrote:
The compulsory copyright to SUSE don't make sense to me.
The company does not actually require copyright assignment, and would not have standing to do so. But that also means that the SUSE LLC copyright line should not be handled special by tooling or when reviewing changes.
The OBS Team hast been developing the adoptions. Then we should add Adrian in CC Best regards, Sarah
Andreas
On 2024-12-23 12:16, Andreas Stieger wrote:
systemd maintainer Franck declined my SR#1232931 [1] for boo#1234765 [2] with the following note:
Thanks. Can you please resubmit without changing the copyright ?
[...]
It is good that you used the information from https://bugzilla.opensuse.org/show_bug.cgi?id=1234765#c1 to make a change to the systemd package in https://build.opensuse.org/package/rdiff/Base:System/systemd?linkrev=base&rev=1568 that addresses the issue. However do you think that stripping my copyright, and using a different date with my name against is, is an accurate reflection?
On 23/12/2024 12.16, Andreas Stieger wrote:
# Copyright (C) YEAR openSUSE project and contributors, see package changelog.
Not the best idea, but one that includes the outside contributors.
"openSUSE project" is not a legal entity, though. I guess, it would only matter if we need to sue someone on .spec Copyright, which is unlikely given the usually rather permissive license.
There may be a triviality limit for what constitutes a copyrightable contribution
My proposal would be to stop auto-updating Copyright to avoid all the legal trouble of claiming Copyright for trivial changes or changing other people's Copyright notices. Copyright does not expire for 70+ years, so a packager can update it manually for non-trivial contributions every few years. A Copyright is not to be confused with a "last changed on" date. https://stackoverflow.com/questions/2390230/do-copyright-dates-need-to-be-up... suggest, a correct timestamp would be © 2000, 2010, 2024 or we omit the timestamp altogether. It is not required and we have revision history to establish the date. So how about
Copyright © The openSUSE Contributors, see package changelog.
On Thu, Jan 2, 2025 at 1:52 AM Bernhard M. Wiedemann <bwiedemann@suse.de> wrote:
On 23/12/2024 12.16, Andreas Stieger wrote:
# Copyright (C) YEAR openSUSE project and contributors, see package changelog.
Not the best idea, but one that includes the outside contributors.
"openSUSE project" is not a legal entity, though. I guess, it would only matter if we need to sue someone on .spec Copyright, which is unlikely given the usually rather permissive license.
There may be a triviality limit for what constitutes a copyrightable contribution
My proposal would be to stop auto-updating Copyright to avoid all the legal trouble of claiming Copyright for trivial changes or changing other people's Copyright notices.
Copyright does not expire for 70+ years, so a packager can update it manually for non-trivial contributions every few years. A Copyright is not to be confused with a "last changed on" date.
https://stackoverflow.com/questions/2390230/do-copyright-dates-need-to-be-up... suggest, a correct timestamp would be © 2000, 2010, 2024
or we omit the timestamp altogether. It is not required and we have revision history to establish the date.
So how about
Copyright © The openSUSE Contributors, see package changelog.
Is the *full* changelog present *anywhere* in the published artifacts? I'm not sure that it is. -- 真実はいつも一つ!/ Always, there's only one truth!
On 1/2/25 10:13 AM, Neal Gompa wrote: > On Thu, Jan 2, 2025 at 1:52 AM Bernhard M. Wiedemann <bwiedemann@suse.de> wrote: >> So how about >> >> > Copyright © The openSUSE Contributors, see package changelog. > > Is the *full* changelog present *anywhere* in the published artifacts? > I'm not sure that it is. There is a parsed version with most entries: > wget https://download.opensuse.org/source/distribution/leap/15.6/repo/oss/src/bash-4.4-150400.25.22.src.rpm > rpm2cpio bash-4.4-150400.25.22.src.rpm | cpio -i bash.spec > tail bash.spec * Tue Apr 22 1997 bs@suse.de - added FAQ and bashref.html to /usr/doc/packages/bash * Sun Apr 13 1997 florian@suse.de - update to bash 2.0 with lots of patches from gnu.utils.bugs Mon Sep 2 02:48:35 MET DST 1996 new version with security patches * Thu Jan 2 1997 florian@suse.de security fix included (0xff was command separator) This document details the changes between this version, bash-4.1-rc, and the previous version, bash-4.1-beta. Ciao Bernhard M.
participants (9)
-
Andreas Stieger -
Bernhard M. Wiedemann -
Björn Bidar -
Christian Boltz -
Dominik George -
Heitor Moreira -
Neal Gompa -
Patrick Fitzgerald -
Sarah Julia Kriesch