Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0

["Kirillov, Ivan A." <ikirillov@mitre.org>]

All,

Where do we stand on this? Can we just swap the license to Apache 2.0 so that we can continue making forward progress with SEPs?

Regards,
Ivan

ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org on behalf of trey.darley@cert.be> wrote:

    Hey, Alexandre -
    
    According to Jamie Clark, the problem is not copyright but patent
    protection. According to Jamie, someone contributing to the
    cti-sep-repo under BSD-3 is not giving OASIS a patent license on their
    contribution and that the only approved license which covers both
    copyright and patent protection is Apache-2.0. But ianal, so I will
    defer to Jamie.
    
    Cheers,
    Trey
    
    On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
    > Hi Trey,
    > 
    > Thank you for the notification.
    > 
    > A small question, what's the reasoning of the use of the Apache-2.0 license
    > instead of the BSD-3 license for such external contribution? Especially that
    > BSD-3 is an approved licensed for the TC[1] and the TC is operates under 
    > the Non-Assertion Mode which doesn't impose a specific open source license
    > beside the ones approved for the open repositories. Do I miss something
    > more fundamental?
    > 
    > Cheers
    > 
    > [1] https://www.oasis-open.org/resources/open-repositories/licenses
    > 
    > ----- Original Message -----
    > From: "Darley Trey" <trey.darley@cert.be>
    > To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
    > Sent: Wednesday, 10 April, 2019 14:38:54
    > Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
    > 
    > Hi, y'all -
    > 
    > When I made the initial motion to open the OASIS Open Repository for
    > STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
    > without thinking about it due to the fact that all of the other CTI TC
    > OASIS Open Repositories used BSD-3.
    > 
    > Turns out this was a mistake. If we as a TC ever decide we want to
    > pull some elements developed on the SEPs GitHub repository into a
    > future revision of the specifications (which is kind of the point of
    > SEPs), we need all SEPs contributions to be Apache2-licensed so that
    > the same IPR TC protections for normal committee spec development to
    > apply.
    > 
    > This was discussed at the San Jose F2F and there was unanimity that we
    > should just make this license change. Meanwhile, I've been crazy busy
    > and this task has lingered on my todo list.
    > 
    > I am in no way suggesting that the STIX Enhancement Proposal workflow
    > process as currently defined in the GitHub repo is final. We have
    > violent unanimity that we as a TC *need* SEPs but there are still a
    > few key open questions we need to settle before we can say that SEPs
    > is ready to be codified in the TC specs.
    > 
    > We have a lot of work in progress and a clear roadmap. I am in no way
    > trying to sidetrack the TC by reopening the wider SEPs discussion
    > at this time. But there are a number of open pull-requests which would
    > be quite interesting to have as contributions to the CTI TC (for
    > example, Caitlin's proposal for an ACH SDO and an SCO for representing
    > Windows Event Logs), plus some other contributions I have heard about
    > privately which are pending the license change. If people are doing
    > good work on the side and happy to contribute it for the TC's
    > consideration, then as a TC we should enable that.
    > 
    > Therefore, I would like to request a seven day call for objections to
    > changing the license for the OASIS Open Repository for STIX
    > Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
    > 
    > If there are no objections, then I will work together with Chet and
    > Scott at OASIS to ensure that proper protocol is followed to ensure
    > that all SEPs contributors whose pull-requests Ivan and I already
    > accepted are brought under the new licensing terms and I will request
    > that currently pending pull-requests be reissued under the Apache 2.0
    > license, giving us a clear path forward.
    > 
    > Sorry about the long-winded mail, but IPR is complicated and vitally
    > important to our work as a TC. Thank you for your time. ^_^
    > 
    > [1]: https://github.com/oasis-open/cti-sep-repository
    > 
    > -- 
    > Cheers,
    > Trey Darley
    > OASIS CTI TC Co-Chair
    > Cyber Security Expert - CTI Strategist
    > -- 
    > CERT.be
    > Centre for Cyber Security Belgium
    > Mail: trey.darley@cert.be
    > GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
    > -- 
    > Under the authority of the Prime Minister
    > Wetstraat 16 - 1000 Brussels - Belgium
    > Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
    > Contact: https://www.cert.be
    
    -- 
    CERT.be
    Centre for Cyber Security Belgium
    Mail: trey.darley@cert.be
    GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
    -- 
    Under the authority of the Prime Minister
    Wetstraat 16 - 1000 Brussels - Belgium
    Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
    Contact: https://www.cert.be