Hi TC,
1.
What are the steps to change the license? Who can make those changes?
2.
Is there a consolidated list of concerns regarding SEPs that can be shared for evaluation by the TC?
Marlon Taylor
IT Specialist, Program Management Branch
Cybersecurity and Infrastructure Security Agency
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Bret Jordan
Sent: Friday, June 7, 2019 12:49 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Kirillov, Ivan A. <ikirillov@mitre.org>
Cc: OASIS CTI TC list <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Jason,
I am more than willing to get SEPs on the agenda for an upcoming working call, once a full and complete proposal is put forth that addresses the concerns that have been previously discussed. To
this date, no one has done that work.
Bret
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 10:15:36 AM
To: Kirillov, Ivan A.
Cc: OASIS CTI TC list
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Agreed, can we move fwd with this, and also the necessary work to add SEP to STIX 2.1?
SEP in 2.1 is a vote blocking issue for me. There are far too many "hanging chads" in STIX to be able to support a 2.1 without SEP because we need SEP to move those fwd in the industry.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: OASIS CTI TC list <cti@lists.oasis-open.org>
Date: 06/07/2019 12:33 PM
Subject: [EXTERNAL] [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license
from BSD-3 to Apache-2.0
Sent by: <cti@lists.oasis-open.org>
All,
Where do we stand on this? Can we just swap the license to Apache 2.0 so that we can continue making forward progress with SEPs?
Regards,
Ivan
ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org on behalf of trey.darley@cert.be> wrote:
Hey, Alexandre -
According to Jamie Clark, the problem is not copyright but patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license on their
contribution and that the only approved license which covers both
copyright and patent protection is Apache-2.0. But ianal, so I will
defer to Jamie.
Cheers,
Trey
On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
>
> Thank you for the notification.
>
> A small question, what's the reasoning of the use of the Apache-2.0 license
> instead of the BSD-3 license for such external contribution? Especially that
> BSD-3 is an approved licensed for the TC[1] and the TC is operates under
> the Non-Assertion Mode which doesn't impose a specific open source license
> beside the ones approved for the open repositories. Do I miss something
> more fundamental?
>
> Cheers
>
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
>
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
>
> Hi, y'all -
>
> When I made the initial motion to open the OASIS Open Repository for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
> without thinking about it due to the fact that all of the other CTI TC
> OASIS Open Repositories used BSD-3.
>
> Turns out this was a mistake. If we as a TC ever decide we want to
> pull some elements developed on the SEPs GitHub repository into a
> future revision of the specifications (which is kind of the point of
> SEPs), we need all SEPs contributions to be Apache2-licensed so that
> the same IPR TC protections for normal committee spec development to
> apply.
>
> This was discussed at the San Jose F2F and there was unanimity that we
> should just make this license change. Meanwhile, I've been crazy busy
> and this task has lingered on my todo list.
>
> I am in no way suggesting that the STIX Enhancement Proposal workflow
> process as currently defined in the GitHub repo is final. We have
> violent unanimity that we as a TC *need* SEPs but there are still a
> few key open questions we need to settle before we can say that SEPs
> is ready to be codified in the TC specs.
>
> We have a lot of work in progress and a clear roadmap. I am in no way
> trying to sidetrack the TC by reopening the wider SEPs discussion
> at this time. But there are a number of open pull-requests which would
> be quite interesting to have as contributions to the CTI TC (for
> example, Caitlin's proposal for an ACH SDO and an SCO for representing
> Windows Event Logs), plus some other contributions I have heard about
> privately which are pending the license change. If people are doing
> good work on the side and happy to contribute it for the TC's
> consideration, then as a TC we should enable that.
>
> Therefore, I would like to request a seven day call for objections to
> changing the license for the OASIS Open Repository for STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
>
> If there are no objections, then I will work together with Chet and
> Scott at OASIS to ensure that proper protocol is followed to ensure
> that all SEPs contributors whose pull-requests Ivan and I already
> accepted are brought under the new licensing terms and I will request
> that currently pending pull-requests be reissued under the Apache 2.0
> license, giving us a clear path forward.
>
> Sorry about the long-winded mail, but IPR is complicated and vitally
> important to our work as a TC. Thank you for your time. ^_^
>
> [1]: https://github.com/oasis-open/cti-sep-repository
>
> --
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> --
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
> --
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
> Contact: https://www.cert.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be
|