secureCodeBox/documentation

Change Copyright Header

Weltraumschaf opened this issue · 2 comments

Weltraumschaf commented

We introduced SPDX tags for copyright and license some time ago. We used "2021 iteratec GmbH" as copyright text because we didn't know better. Now we have a pull requestfrom our partners Secura and they used "2021 Secura B.V." as copyright text. We were not sure if this is legit. We discussed this internally and we consulted the a core maintainer from the JUnit 5 project (I know this guy long time from conferences) and asked for advice. The conclusion of this internal discussion is:

  • It may not matter what is in the copyright text.
  • Copyright differs from laws by country. E.g. in Germany it is not possible that a company holds the copyright. It is always the right of the author (Urheberrecht vs Verwertungsrecht).
  • We're not sure if a company name as in the copyright text may be a problem in the future.
  • We want to protect the open source community, the users and contributors from possible abuse by copyright infringement. Not only by contributors working in behalf of their employee, but also from iteratec. As we can't guearante what iteratec will do in 20 years or so.
  • In fact the persons which authored the files matter and not their empoyee and this person certifies our DCO.

Decision: We completely remove "2021 iteratec GmbH" ascopyright text from all files and replace it with the new copyright text "the secureCodeBox authors". Also we remove the year. As described in the Reuse FAQ the year is not necessary andso we do not need to updated the year. So will use the new copyright header:

# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
sanmai-NL commented

What is the impact on the use of the DCO?

Weltraumschaf commented

There is no impact on the use of DCO. Everyone commiting to this repo certifies the DCO and sign-off the commits and gives the code to the project under the current license. So, it should not matter what copyright holder is mentioned in the SPDX tag. (IANAL)

We think the approach from the JUnit 5 Project is a more cleaner way. So we do not need to discuss what name to add in the headers. We need not update the header if someone else edits the file.

Also, my personal opinion: It is good for forming a community around the secureCodeBox if we see us all together as the secureCodeBox authors and not the authors from iteratec and the authors from Secure and some individuals.