cti message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Date: Fri, 7 Jun 2019 13:15:36 -0300
Agreed, can we move
fwd with this, and also the necessary work to add SEP to STIX 2.1?
SEP in 2.1 is
a vote blocking issue for me. There are far too many "hanging chads"
in STIX to be able to support a 2.1 without SEP because we need SEP to
move those fwd in the industry.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."
- Thomas J. Watson
From:
"Kirillov,
Ivan A." <ikirillov@mitre.org>
To:
OASIS
CTI TC list <cti@lists.oasis-open.org>
Date:
06/07/2019
12:33 PM
Subject:
[EXTERNAL]
[cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open
Repository license from BSD-3 to Apache-2.0
Sent
by: <cti@lists.oasis-open.org>
All,
Where do we stand on this? Can we just swap the license to Apache 2.0 so
that we can continue making forward progress with SEPs?
Regards,
Ivan
ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org
on behalf of trey.darley@cert.be> wrote:
Hey, Alexandre -
According to Jamie Clark, the problem is not copyright but
patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license
on their
contribution and that the only approved license which covers
both
copyright and patent protection is Apache-2.0. But ianal,
so I will
defer to Jamie.
Cheers,
Trey
On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
>
> Thank you for the notification.
>
> A small question, what's the reasoning of the use of
the Apache-2.0 license
> instead of the BSD-3 license for such external contribution?
Especially that
> BSD-3 is an approved licensed for the TC[1] and the
TC is operates under
> the Non-Assertion Mode which doesn't impose a specific
open source license
> beside the ones approved for the open repositories.
Do I miss something
> more fundamental?
>
> Cheers
>
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
>
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs
Open Repository license from BSD-3 to Apache-2.0
>
> Hi, y'all -
>
> When I made the initial motion to open the OASIS Open
Repository for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3
license
> without thinking about it due to the fact that all of
the other CTI TC
> OASIS Open Repositories used BSD-3.
>
> Turns out this was a mistake. If we as a TC ever decide
we want to
> pull some elements developed on the SEPs GitHub repository
into a
> future revision of the specifications (which is kind
of the point of
> SEPs), we need all SEPs contributions to be Apache2-licensed
so that
> the same IPR TC protections for normal committee spec
development to
> apply.
>
> This was discussed at the San Jose F2F and there was
unanimity that we
> should just make this license change. Meanwhile, I've
been crazy busy
> and this task has lingered on my todo list.
>
> I am in no way suggesting that the STIX Enhancement
Proposal workflow
> process as currently defined in the GitHub repo is final.
We have
> violent unanimity that we as a TC *need* SEPs but there
are still a
> few key open questions we need to settle before we can
say that SEPs
> is ready to be codified in the TC specs.
>
> We have a lot of work in progress and a clear roadmap.
I am in no way
> trying to sidetrack the TC by reopening the wider SEPs
discussion
> at this time. But there are a number of open pull-requests
which would
> be quite interesting to have as contributions to the
CTI TC (for
> example, Caitlin's proposal for an ACH SDO and an SCO
for representing
> Windows Event Logs), plus some other contributions I
have heard about
> privately which are pending the license change. If people
are doing
> good work on the side and happy to contribute it for
the TC's
> consideration, then as a TC we should enable that.
>
> Therefore, I would like to request a seven day call
for objections to
> changing the license for the OASIS Open Repository for
STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache
2.0.
>
> If there are no objections, then I will work together
with Chet and
> Scott at OASIS to ensure that proper protocol is followed
to ensure
> that all SEPs contributors whose pull-requests Ivan
and I already
> accepted are brought under the new licensing terms and
I will request
> that currently pending pull-requests be reissued under
the Apache 2.0
> license, giving us a clear path forward.
>
> Sorry about the long-winded mail, but IPR is complicated
and vitally
> important to our work as a TC. Thank you for your time.
^_^
>
> [1]: https://github.com/oasis-open/cti-sep-repository
>
> --
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> --
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000
0E4E
> --
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 â 1000 Brussels â
Belgium
> Contact: https://www.cert.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]