license for closed source ========================== To request a commericial license for closed source projects and services Definitions ------------ commercial license """"""""""""""""""" exclusion from the projects license, for a specific entity and time period copyright holder """"""""""""""""" Someone who forks the project, simply by editting the legal notices, does not suddenly become the copyright holder. Under copyright law, a maintainer, having forked a project, cannot request payment in the form of a license. Can only solicit for donations. If required by the projects license, a commercial license **must be** and **can only be** obtained from the copyright holder How to contact --------------- Encourage to send to multiple communication channels - Mastodon https://mastodon.social/@msftcangoblowme - Email `Dave Faulkmore `_ Why fund? ---------- Unfunded FOSS projects are instantly abandonware. Which should be a cause for concern: author attention is drawn away """"""""""""""""""""""""""""""" Often towards activities to make a living. Such as focusing on writing unittests for web pages and smartphone apps. Instead of producing jobs, companies self-interest is better served funding talent to focus on maintaining the talent's piece of the FOSS infrastructure. author cannot attract maintainers """""""""""""""""""""""""""""""""" Common situation is the repository is in a preceived negative situation, forcing others to fork the project and take on the enormous burden and responsibility. If the project is well funded, can garner maintainers time by compensating them. target for malware """"""""""""""""""" This is reoccurring real issue. Maintainer(s) who step forward and have the talent, the author will depend on. There being no non-subjective reprecussions for bad behavior or just to get attention, at some point, in an innocent looking commit, malware gets introduced. Obfusicated code is placed in either the build system or in unittest assets. The swamp, drain-swamp is referring to, is the Makefile, untestable shell scripts, and untestable Python scripts. Minimizing the size of the swamp, reduces the attack surface; places to hide dodgy code xz is a project which had this issue. A now famous coder, thru what can only be described as a miracle, tracked down the cause, and raised awareness of the issue. The Linux communities quickly used an earlier xz version or created a patch. The author did remove the malware, which took some time. So **the xz author is a good actor**! And the attack's impact on the world was minimized. Procedure ---------- Communication """""""""""""" 1. Contact the copyright holder This is a negotiation. So can, make an offer. 2. discuss: - terms and conditions - pricing 3. The copyright holder should request and receive multiple contact means to keep in contact with requestor. Copyright holder must maintain this privacy data, in confidence, not share with any third party with the exception of maintainers and staff Before any payments """""""""""""""""""" Verify the copyright holder **BEFORE** making any payments Send some text message to have the copyright holder sign with PGP secret key. The copyright holder will send back the signed message within a text file. The message along with the PGP public key are used **to verify** the copyright holder, signed it Will receive """"""""""""" 1. PGP public key file Which will be the same PGP public key used to sign commits. Instructions on how to confirm it's the same PGP public key. 2. PGP signed text file Contains the commercial license which is an exclusion, for a specific entity for a specific time period, from the projects license Verify """"""" Will provide instructions on how to verify the PGP signed text file. Using the PGP public key of the copyright holder A text file not PGP signed or not signed by the copyright holder, is not an authorized commercial license. Upon receipt, verify the PGP signature.