Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0

[Alexandre Dulaunoy <alexandre.dulaunoy@x.circl.lu>]

Hi Trey,

Thank you for the notification.

A small question, what's the reasoning of the use of the Apache-2.0 license
instead of the BSD-3 license for such external contribution? Especially that
BSD-3 is an approved licensed for the TC[1] and the TC is operates under 
the Non-Assertion Mode which doesn't impose a specific open source license
beside the ones approved for the open repositories. Do I miss something
more fundamental?

Cheers

[1] https://www.oasis-open.org/resources/open-repositories/licenses

----- Original Message -----
From: "Darley Trey" <trey.darley@cert.be>
To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
Sent: Wednesday, 10 April, 2019 14:38:54
Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0

Hi, y'all -

When I made the initial motion to open the OASIS Open Repository for
STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
without thinking about it due to the fact that all of the other CTI TC
OASIS Open Repositories used BSD-3.

Turns out this was a mistake. If we as a TC ever decide we want to
pull some elements developed on the SEPs GitHub repository into a
future revision of the specifications (which is kind of the point of
SEPs), we need all SEPs contributions to be Apache2-licensed so that
the same IPR TC protections for normal committee spec development to
apply.

This was discussed at the San Jose F2F and there was unanimity that we
should just make this license change. Meanwhile, I've been crazy busy
and this task has lingered on my todo list.

I am in no way suggesting that the STIX Enhancement Proposal workflow
process as currently defined in the GitHub repo is final. We have
violent unanimity that we as a TC *need* SEPs but there are still a
few key open questions we need to settle before we can say that SEPs
is ready to be codified in the TC specs.

We have a lot of work in progress and a clear roadmap. I am in no way
trying to sidetrack the TC by reopening the wider SEPs discussion
at this time. But there are a number of open pull-requests which would
be quite interesting to have as contributions to the CTI TC (for
example, Caitlin's proposal for an ACH SDO and an SCO for representing
Windows Event Logs), plus some other contributions I have heard about
privately which are pending the license change. If people are doing
good work on the side and happy to contribute it for the TC's
consideration, then as a TC we should enable that.

Therefore, I would like to request a seven day call for objections to
changing the license for the OASIS Open Repository for STIX
Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.

If there are no objections, then I will work together with Chet and
Scott at OASIS to ensure that proper protocol is followed to ensure
that all SEPs contributors whose pull-requests Ivan and I already
accepted are brought under the new licensing terms and I will request
that currently pending pull-requests be reissued under the Apache 2.0
license, giving us a clear path forward.

Sorry about the long-winded mail, but IPR is complicated and vitally
important to our work as a TC. Thank you for your time. ^_^

[1]: https://github.com/oasis-open/cti-sep-repository

-- 
Cheers,
Trey Darley
OASIS CTI TC Co-Chair
Cyber Security Expert - CTI Strategist
-- 
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
-- 
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be