I am not sure about the license. I am guessing you would need to get OASIS involved and you would need to reach out to everyone that has contributed to see if they are okay with changing the license. My guess is, that the easiest way of doing it would be delete all content from the repo and then change the license. Then ask people to recontribute if they agreed to the new license. But IANAL.
In regards to SEPs, no idea. I would love to see a full proposal.
Bret
Sent: Friday, June 7, 2019 10:53:54 AM
To: Bret Jordan; Jason Keirstead; Kirillov, Ivan A.
Cc: OASIS CTI TC list
Subject: RE: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Hi TC,
1. What are the steps to change the license? Who can make those changes?
2. Is there a consolidated list of concerns regarding SEPs that can be shared for evaluation by the TC?
Marlon Taylor
IT Specialist, Program Management Branch
Cybersecurity and Infrastructure Security Agency
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Bret Jordan
Sent: Friday, June 7, 2019 12:49 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Kirillov, Ivan A. <ikirillov@mitre.org>
Cc: OASIS CTI TC list <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Jason,
I am more than willing to get SEPs on the agenda for an upcoming working call, once a full and complete proposal is put forth that addresses the concerns that have been previously discussed. To this date, no one has done that work.
Bret
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf
of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 10:15:36 AM
To: Kirillov, Ivan A.
Cc: OASIS CTI TC list
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Agreed, can we move fwd with this, and also the necessary work to add SEP to STIX 2.1?
SEP in 2.1 is a vote blocking issue for me. There are far too many "hanging chads" in STIX to be able to support a 2.1 without SEP because we need SEP to move those fwd in the industry.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: OASIS CTI TC list <cti@lists.oasis-open.org>
Date: 06/07/2019 12:33 PM
Subject: [EXTERNAL] [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license
from BSD-3 to Apache-2.0
Sent by: <cti@lists.oasis-open.org>
All,
Where do we stand on this? Can we just swap the license to Apache 2.0 so that we can continue making forward progress with SEPs?
Regards,
Ivan
ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org on behalf of trey.darley@cert.be> wrote:
Hey, Alexandre -
According to Jamie Clark, the problem is not copyright but patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license on their
contribution and that the only approved license which covers both
copyright and patent protection is Apache-2.0. But ianal, so I will
defer to Jamie.
Cheers,
Trey
On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
>
> Thank you for the notification.
>
> A small question, what's the reasoning of the use of the Apache-2.0 license
> instead of the BSD-3 license for such external contribution? Especially that
> BSD-3 is an approved licensed for the TC[1] and the TC is operates under
> the Non-Assertion Mode which doesn't impose a specific open source license
> beside the ones approved for the open repositories. Do I miss something
> more fundamental?
>
> Cheers
>
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
>
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
>
> Hi, y'all -
>
> When I made the initial motion to open the OASIS Open Repository for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
> without thinking about it due to the fact that all of the other CTI TC
> OASIS Open Repositories used BSD-3.
>
> Turns out this was a mistake. If we as a TC ever decide we want to
> pull some elements developed on the SEPs GitHub repository into a
> future revision of the specifications (which is kind of the point of
> SEPs), we need all SEPs contributions to be Apache2-licensed so that
> the same IPR TC protections for normal committee spec development to
> apply.
>
> This was discussed at the San Jose F2F and there was unanimity that we
> should just make this license change. Meanwhile, I've been crazy busy
> and this task has lingered on my todo list.
>
> I am in no way suggesting that the STIX Enhancement Proposal workflow
> process as currently defined in the GitHub repo is final. We have
> violent unanimity that we as a TC *need* SEPs but there are still a
> few key open questions we need to settle before we can say that SEPs
> is ready to be codified in the TC specs.
>
> We have a lot of work in progress and a clear roadmap. I am in no way
> trying to sidetrack the TC by reopening the wider SEPs discussion
> at this time. But there are a number of open pull-requests which would
> be quite interesting to have as contributions to the CTI TC (for
> example, Caitlin's proposal for an ACH SDO and an SCO for representing
> Windows Event Logs), plus some other contributions I have heard about
> privately which are pending the license change. If people are doing
> good work on the side and happy to contribute it for the TC's
> consideration, then as a TC we should enable that.
>
> Therefore, I would like to request a seven day call for objections to
> changing the license for the OASIS Open Repository for STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
>
> If there are no objections, then I will work together with Chet and
> Scott at OASIS to ensure that proper protocol is followed to ensure
> that all SEPs contributors whose pull-requests Ivan and I already
> accepted are brought under the new licensing terms and I will request
> that currently pending pull-requests be reissued under the Apache 2.0
> license, giving us a clear path forward.
>
> Sorry about the long-winded mail, but IPR is complicated and vitally
> important to our work as a TC. Thank you for your time. ^_^
>
> [1]: https://github.com/oasis-open/cti-sep-repository
>
> --
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> --
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
> --
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
> Contact: https://www.cert.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be