Added licensing explanation, to clarify questions of CHES artifact re…

…view process
decryptofy · Mar 26, 2024 · 0d45f35 · 0d45f35
1 parent a292216
commit 0d45f35
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -20,4 +20,21 @@ TBD :-) This project is at its start, we have not figured this part out yet.
 * Within the Python context, we do *not* consider GPL to be an appropriate license, run [liccheck](https://pypi.org/project/liccheck/) to make sure not to accidentally import GPL code.
 
 # Legal
+
 This is an open source project. Contributions you make to this repository are completely voluntary. When you submit an issue, bug report, question, enhancement, pull request, etc., you are offering your contribution without expectation of payment, you expressly waive any future pay claims against SCARR's maintainers related to your contribution, and you acknowledge that this does not create an obligation on the part of the SCARR maintainers of any kind.
+
+# Licensing Explained
+
+In the following, we would like to briefly explain SCARR's license as this might be an important aspect for future contributors. Since SCARR is licensed under the MPL-2.0-no-copyleft-exception, SCARR's code itself must be open-source. However, there are nuanced differences compared to GPL that we consider important.
+
+Permissible:
+* Larger works can include SCARR *without* revealing code outside of SCARR (unlike GPL)
+* Add closed-source/classified extensions to SCARR, if desired, on a per-file basis (unlike LGPL)
+
+Prohibited:
+* Cannot include GPL code into SCARR, to make sure the above remains a free choice
+* Adopting from SCARR and only acknowledging its use to prevent undue commercialization
+
+When working in the hardware security domain, projects can be of sensitive or classified nature. For us, it is perfectly fine for such scenarios to extend SCARR on a per-file basis and keep these additional files under proprietary/classified license, even when distributing SCARR and these extensions to other entities (e.g., from one government to another). We consider this a greater freedom compared to imposing GPL rules onto everyone using/extending this project.
+
+Note: the overwhelming majority of Python projects is licensed under MIT, BSD, or Apache 2.0 license that can be combined with SCARR.
diff --git a/README.md b/README.md
@@ -81,7 +81,7 @@ We want to keep this a no-nonsense project and promote contributions, while mini
 
 Consistent with Section D.6. of the [GitHub Terms of Service](https://docs.github.com/en/site-policy/github-terms/github-terms-of-service) as of November 16, 2020, and the [Mozilla Public License, v. 2.0.](https://www.mozilla.org/en-US/MPL/2.0/), the project maintainer for this project accepts contributions using the inbound=outbound model. When you submit a pull request to this repository (inbound), you are agreeing to license your contribution under the same terms as specified under [License](https://github.com/decryptofy/scarr/blob/main/README.md#license) (outbound).
 
-Note: this is modeled after the terms for contributing to [Ghidra](https://github.com/NationalSecurityAgency/ghidra/blob/master/CONTRIBUTING.md).
+Note: this is modeled after the terms for contributing to [Ghidra](https://github.com/NationalSecurityAgency/ghidra/blob/master/CONTRIBUTING.md). Our reasoning for this licensing is explained [here](https://github.com/decryptofy/scarr/blob/main/CONTRIBUTING.md#licensing-explained).
 
 # License