Open Source Assurance; what does it mean?

[starksm64]

Currently in the foundation goals is:
Open Source Assurance: Guarantee to the community that all code under our banner will remain open source, ensuring its consistent and long-term availability in trusted repositories like Maven Central.

To me this implies needing to define a subset of acceptable OSI compatible licenses that projects should use. That will prevent a project from deciding it needs to change its license from Apache License, Version 2.0 to BSL for example as BSL is not OSI approved.

[ebullient]

Yes. I do have a listing of preferred OSI licenses: https://github.com/commonhaus/foundation-draft/blob/main/governance/ip-policy.md (as a draft!).. but avoiding that license shift (within the existing project dependency) would be a goal. If someone wanted to shift from Apache to BSL, THAT would be the fork (which is the opposite of what happened w/ Elastic and Terraform).

[Sanne]

I agree with @starksm64 this should be clarified, except it would be nice to make it future-proof as well: no need to limit ourselves to a subset of licenses which we choose/like today, yet make a solid promise that certain directions like BSL won't ever be taken.

Coul we trust the OSI long term and simply state that they'll always use licenses approved by OSI?

But also in case OSI ever wanted to remove a particular license from its list of blessed licenses, one should be forced off it immediately.

[ebullient]

I would rather stick w/ "OSI approved", as I believe that is a body with a lot more expertise than I (or another general future CF member) have.

I did add a short-list of OSI-approved licenses that are shoe-ins because they are common and well-understood (this is consistent with what some other foundations do as well).

[kenfinnigan]

Covered here

If this doesn't sufficiently resolve it, please propose modifications via PR