This RFD was adapted from Joyent RFD 164 by Steve, and so he would like to note: anything good about this RFD probably comes from Bryan, and any mistakes probably come from me, haha.
Determinations
Oxide believes strongly in open source, and participating in the open source community in good faith. This RFD is an attempt to elucidate our open source policies with regard to our own projects.
Open Source Counsel Office (OSCO)
This RFD creates a role, the Open Source Counsel Office (OSCO), that serves as a focal point for consultation and approval with respect to open source policy. The OSCO takes responsibility for balancing our principles surrounding open source with organizational risk — with the goal being to adhere to our open source principles while minimizing risk. If and as much as additional counsel is required (e.g., legal counsel), it is up to the OSCO to make this determination. This role is nowhere near a full-time job; it is anticipated that this function will be performed or delegated by the CTO or equivalent.
Open source use
Any open source component licensed under the following commonly-used licenses can be freely used without additional disclosure or approval by the OSCO:
Mozilla Public License, 1.0, 1.1 and 2.0 variants
MIT License
Berkeley Software Distribution (BSD), 3-clause, 2-clause and 0-clause variants
Apache License, 1.0, 1.1 and 2.0 variants
Common Development and Distribution License (CDDL)
Additionally, any open source component under the following less-commonly used licenses can be freely used without additional disclosure or approval:
PostgreSQL License
Python Software Foundation License
Public Domain
Artistic License
zlib/libpng License
PHP License
ICU License
Eclipse Public License
Components with the following licenses can be freely used for internal use (that is, not part of any service or software offering), but can only be used for external use (part of a service or software offering) after consultation with the OSCO:
GNU Public License (GPL), v2 and v3
Lesser GNU Public License (LGPL)
Software under the following licenses can be used only for internal use (that is, they may never be used as part of any service or software offering) and use always require explicit permission of the OSCO:
Affero General Public License (AGPL)
Server Side Public License (SSPL)
Confluent Community License
Redis Source Available License
Any license bearing a Commons Clause addendum
Open source contribution
We believe in contributing back to the projects that we use, and seek to actively push changes upstream where and as appropriate.
Personal attribution
Any open source contribution from Oxide must have the personal
attribution of the engineer (or engineers) who did the work. (In general,
this attribution will take the form of the AuthorCommit
Copyright
Copyright for all open source contribution is held by Oxide, but how this is attributed will depend on the specifics of the project. For projects started at Oxide, see the next subheading, "Copyright notice." For other projects, the project’s preferences for attribution should be followed.
In this model, it is important that the e-mail address contain the author’s corporate e-mail address (e.g. "@oxide.computer").
Copyright & licensing notices
Different projects differ in the mechanics of their copyright notice, and legal counsel opinion will vary on mechanics of year and so on. Given that our preference is to use the MPL, we also will go by their guidance, which at the time of writing is as follows:
To apply the Mozilla Public License to software that you have written, add [a] header … to each source code file in your project. … You may also add additional accurate notices of copyright ownership, such as the name of the copyright holder, but this is not necessary.
Here is an example header to be used, in the default Rust comment style:
// This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at https://mozilla.org/MPL/2.0/.
If you decide to add a Copyright line, it should look like this:
// Copyright 2021 Oxide Computer Company
The current year should be used.
Rust files in particular tend to have various things that could go at the start of the file. We are going to standardize on this order:
License header
Documentation comment
Attributes/code/etc
An example:
// This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at https://mozilla.org/MPL/2.0/. /// This module foos your bars. /// /// Lorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque /// molestie eu velit id varius. #![no_std]
This is built off of the default Rust style, with documentation comments first, but the license deserves priority.
You can easily add an MPL v2.0 license header to all rust source files in a directory by using the script included in this repository.
$ add-mpl-headers.sh Package-specific license noticies
If an Oxide project is being distributed via a package manager, make sure that you include the proper licensing information into the package’s metadata as appropriate.
For example, Rust code that is published to Crates.io should have the license key set.
Extra note: Given the next section, you may be tempted to also set the license-field key. With Cargo, that is only used for non-standard licenses, and so even though your project will contain a LICENSE file, you do not need to set this key in your Cargo.toml.
LICENSE files
All projects should have a LICENSE file at the root of the repository that contains the text of the appropriate license or licenses.
Contributing source from third parties
We regularly integrate source from third parties into other open source projects. If the third party source is not already open source, this activity must be done in concert with the OSCO, who will take responsibility for assuring that the third party has condoned this activity and that risk is appropriately minimized.
De minimis change
Some changes can be considered de minimis, and need not have a copyright notice or update. These kinds of changes include:
Pure deletion of code
Correcting spelling or grammar
Changing only code comments
In general, any code change — however small — should not be considered de minimis.
Conduct
We expect our staff to professionally engage with people who are not Oxide employees. It is our expectation that conduct in open source engagement will reflect the professionalism of our workplace. Where this is not the case — where we believe that actions by others in the community are violating our standards for our own conduct — action should be taken. Employees who wish to report this conduct should either report it to the OSCO or to Oxide HR. Working with the employee, the OSCO and/or Oxide HR will determine the correct course of action, with the priority being to protect the employee.
Contributor License Agreements
If a contributor license agreement is required, the OSCO should be consulted. Most CLAs are harmless, but formal OSCO permission will regrettably be required.
Open source creation
When we create wholly new software, our overwhelming bias is to open source it. Even where we choose to not open source new software, it should always be created with the idea that it will be open sourced. This means that these guidelines should always be followed.
Repositories
Absent explicit permission from the OSCO, all new repositories should be in GitHub, under the "oxidecomputer" GitHub account (that is, not under personal accounts).
License
For any new Oxide-created software, the MPL 2.0 should generally be the license of choice. The exception to this should be any software that is a part of a larger ecosystem that has a prevailing license, in which case that prevailing license may be used. For example, Rust crates are generally dual-licensed as MIT/Apache 2. The "Licenses" section under open source use applies here; if new software is to be created that is (for example) LGPL, it can only be done with the explicit permission of the OSCO.
Security
Especially with our broad open source disposition, in Oxide-originated repositories it can be easy to accidentally divulge a secret. Certainly, there should never be production key material or passwords in a repository, even when private. We also need to be careful about production data that might be used as test data. This data can take on subtle forms. Unfortunately, code review can be too late to catch this, as our code reviews are also publicly accessible. There is no mechanical guideline here other than to be very mindful!
Contributor license agreements
In our view, contributor license agreements (CLAs) are an impediment to contributions, and we do not use them for any Oxide-originated repository. (Part of the reason for our strong preference for MPL 2.0 is that the license warrants the originality of the work and obviates the need for a CLA entirely.)
Code of conduct
A formal code of conduct is likely well-advised. This should be done in consultation with the OSCO, but it is recommended that projects use a derivative of the Contributor Covenant.
Security Considerations
See the "Security" heading above.