Add copyrights to cpython continued support work

[ucodery]

We should be taking credit for the work put into cpython2.7 to continue fixing CVEs. We have so far released 3 micro versions and are about to release a fourth, with no new copyrights or credit, except in the git commits.

AC

• source files altered as part of python2.7 maintenance should additionally have an ActiveState copyright banner
  • make sure to not apply copyright for patches from cpython3.X that apply 1:1

Open Questions

• Which license type should this be distributed under?
  • I think it will have to be PSFL in order to keep the platform promises
• What should this text actually be?
• What do we do when the upstream fix is enough on its own to fix 2.7?
  • add copyright for that author?
  • I believe by publishing it to python/cpython the owner allows the work to be relicensed under python already.

[rawktron]

Is this just renaming the PSF license?

[ucodery]

Yes, renaming and changing the company name. I wanted the license type to remain identical to python3

[rawktron]

Ok let me just verify we are ok with effectively a 'custom' OS license name type. Should be ok but will verify.

[autarch]

Just one question.

[autarch]

It's a bit confusing to add our own custom PSFLv2 license and then say that this file is licensed under the PSFLv2. Do we mean the actual PSFLv2 (which is between the PSF and the Licensee), or we do mean between us and the Licensee?

Also, damn the PSF for not making a templatable license!

[ucodery]

I am in unclear territory with making this license. I went with PSFL as I thought a big part of the new platform was to not dual-license these languages. But I don't know anyone else who has customized the PSFL like this before. It is certainly used by the community, but unmodified. Often, as in the popular matplotlib, the full text isn't even bothered to be copied over. The license on any of their distributions is just "PSF".

Would "ActiveState's PSFLv2 License" be more accurate? Or just "the ActiveState License" to avoid confusion? (although readers of just these files won't know what and 'ActiveState License' is)

[autarch]

First an aside ... saying "PSFLv2 License" is redundantly redundant, since the "L" in "PSFL" stands for License.

---

And back on topic ...

If other people use the PSFL for new works as is but they are not representing the PSF, I don't see how that use is legally valid or enforceable. The license starts with this text:

This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 3.9.4 software in source or binary form and its associated documentation.

So by definition, only the PSF can apply this license (as is) to anything. If I were to try to use it for my code, it couldn't possibly be legally valid, because I am not in a legal position to make binding agreements between the PSF and the Licensee.

So given that, I don't think it's possible for us to claim copyright on a file and then say it's under the PSFLv2. Saying "ActiveState's PSFLv2" makes more sense.

But let me throw yet another spanner into the works. What is the license of the PSFLv2 license text? Can we make a derivative version? That's not something we can just assume. Some licenses are themselves licensed in a way that forbids derivatives! For example, the various (L)GPL licenses all say something like this:

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Absent an explicit copyright statement, the PSFLv2 copyright is (presumably) owned by the PSF, and we are not free to make a derivative version without their permission.

And there's several other issues too!

First, the PSFLv2 has this text:

Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee.

IANAL, but my reading of this is that the PSF is claiming copyright on all derivative works, and I'm not sure if we can add our own copyright notice as well.

Even if we can add it, the copyright statement as written implies that we are the sole copyright holder for each of these files. Unless we (re)wrote this from scratch, that is incorrect. We can only claim copyright for some parts of the code (or maybe none at all, if I'm reading the PSFLv2 correctly). So if we're adding a copyright header we need to spell out other copyright holders too.

But hey, we have a new corporate counsel. I think it'd be good to get Ron involved, since as I mentioned, IANAL.

@rawktron ^

[rawktron]

All great points. My couple quick thoughts:

1. Re: Copyright notices, yes, that is correct, if we are adding our copyright to cover our segments the original copyright/license info also has to be present. Usually this is already the case. If it's not, then we either need to add it, OR, not add ours.
2. If we are renaming this license, we have to include the original license as well (as the PSF one does with its older versions) — so we can't just replace it, we have to amend it. It's not totally clear whether their license allows that — I don't see anything disallowing it — but this is where we'd need legal approval.

We probably should get this vetted by legal — but at a minimum we need to do the above 2 things. As discussed we should probably not gate our 2.7.18.4 release on getting this resolved, but hold it for the next one. The 'list of changes' portions discussed need to be broken out and included though to be in compliance with the license.

[ucodery]

I will open a new PR with just the "add NEWS for ActiveState releases" commit but keep this one open to discuss copyrights. It won't cause any merge conflicts when the other work is ready.

1. The PSFL is not included in any of the source files. The only time copyrights are included in source files is when the work was not originally for the cpython project (https://github.com/ActiveState/cpython/blob/2.7/Lib/logging/__init__.py#L1 as an example). Its not hard to add the PSFL as an additional comment when we go to add and ActiveState license, but that will always be required.
2. All of the original licenses remain untouched in LICENSE including the original PSFL.

[ucodery]

Found this today, which reenforces that other projects use the PSFL, but also does not provide a template for new projects, or a standard header https://spdx.org/licenses/PSF-2.0.html