Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0

[Darley Trey <trey.darley@cert.be>]

Hey, Alexandre -

According to Jamie Clark, the problem is not copyright but patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license on their
contribution and that the only approved license which covers both
copyright and patent protection is Apache-2.0. But ianal, so I will
defer to Jamie.

Cheers,
Trey

On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
> 
> Thank you for the notification.
> 
> A small question, what's the reasoning of the use of the Apache-2.0 license
> instead of the BSD-3 license for such external contribution? Especially that
> BSD-3 is an approved licensed for the TC[1] and the TC is operates under 
> the Non-Assertion Mode which doesn't impose a specific open source license
> beside the ones approved for the open repositories. Do I miss something
> more fundamental?
> 
> Cheers
> 
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
> 
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
> 
> Hi, y'all -
> 
> When I made the initial motion to open the OASIS Open Repository for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
> without thinking about it due to the fact that all of the other CTI TC
> OASIS Open Repositories used BSD-3.
> 
> Turns out this was a mistake. If we as a TC ever decide we want to
> pull some elements developed on the SEPs GitHub repository into a
> future revision of the specifications (which is kind of the point of
> SEPs), we need all SEPs contributions to be Apache2-licensed so that
> the same IPR TC protections for normal committee spec development to
> apply.
> 
> This was discussed at the San Jose F2F and there was unanimity that we
> should just make this license change. Meanwhile, I've been crazy busy
> and this task has lingered on my todo list.
> 
> I am in no way suggesting that the STIX Enhancement Proposal workflow
> process as currently defined in the GitHub repo is final. We have
> violent unanimity that we as a TC *need* SEPs but there are still a
> few key open questions we need to settle before we can say that SEPs
> is ready to be codified in the TC specs.
> 
> We have a lot of work in progress and a clear roadmap. I am in no way
> trying to sidetrack the TC by reopening the wider SEPs discussion
> at this time. But there are a number of open pull-requests which would
> be quite interesting to have as contributions to the CTI TC (for
> example, Caitlin's proposal for an ACH SDO and an SCO for representing
> Windows Event Logs), plus some other contributions I have heard about
> privately which are pending the license change. If people are doing
> good work on the side and happy to contribute it for the TC's
> consideration, then as a TC we should enable that.
> 
> Therefore, I would like to request a seven day call for objections to
> changing the license for the OASIS Open Repository for STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
> 
> If there are no objections, then I will work together with Chet and
> Scott at OASIS to ensure that proper protocol is followed to ensure
> that all SEPs contributors whose pull-requests Ivan and I already
> accepted are brought under the new licensing terms and I will request
> that currently pending pull-requests be reissued under the Apache 2.0
> license, giving us a clear path forward.
> 
> Sorry about the long-winded mail, but IPR is complicated and vitally
> important to our work as a TC. Thank you for your time. ^_^
> 
> [1]: https://github.com/oasis-open/cti-sep-repository
> 
> -- 
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> -- 
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
> -- 
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
> Contact: https://www.cert.be

-- 
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
-- 
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be

Attachment: signature.asc
Description: PGP signature