cti message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Bret Jordan <Bret_Jordan@symantec.com>
- Date: Fri, 7 Jun 2019 19:49:40 -0300
Brett- Respectfully,
I disagree with that characterization of the state of affairs.
There was a fairly
robust SEP proposal brought to the TC, and discussed at length at the January
F2F led by Trey. It was actually the #1 item on that agenda.
The TC as a whole
decided to delay the discussion of SEPs until the top-level-SCO mini group
was disbanded and that work merged into the document, because the view
was that we had to focus on one thing at a time.
Now that that
has transpired, the SEP discussion should be finalized. If that means another
mini group then fine, but It was never pulled from the 2.1 agenda. It was
actually the #1 thing on the list of "Whats in 2.1" at the F2F.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."
- Thomas J. Watson
From:
Bret
Jordan <Bret_Jordan@symantec.com>
To:
Jason
Keirstead <Jason.Keirstead@ca.ibm.com>, "Kirillov, Ivan A."
<ikirillov@mitre.org>
Cc:
OASIS
CTI TC list <cti@lists.oasis-open.org>
Date:
06/07/2019
01:48 PM
Subject:
[EXTERNAL]
Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the
SEPs Open Repository license from BSD-3 to Apache-2.0
Sent
by: <cti@lists.oasis-open.org>
Jason,
I
am more than willing to get SEPs on the agenda for an upcoming working
call, once a full and complete proposal is put forth that addresses the
concerns that have been previously discussed. To this date, no one
has done that work.
Bret
From: cti@lists.oasis-open.org
<cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 10:15:36 AM
To: Kirillov, Ivan A.
Cc: OASIS CTI TC list
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing
the SEPs Open Repository license from BSD-3 to Apache-2.0
Agreed, can we
move fwd with this, and also the necessary work to add SEP to STIX 2.1?
SEP in 2.1 is a vote blocking issue for me. There are far too many "hanging
chads" in STIX to be able to support a 2.1 without SEP because we
need SEP to move those fwd in the industry.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."
- Thomas J. Watson
From: "Kirillov,
Ivan A." <ikirillov@mitre.org>
To: OASIS
CTI TC list <cti@lists.oasis-open.org>
Date: 06/07/2019
12:33 PM
Subject: [EXTERNAL]
[cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open
Repository license from BSD-3 to Apache-2.0
Sent by: <cti@lists.oasis-open.org>
All,
Where do we stand on this? Can we just swap the license to Apache 2.0 so
that we can continue making forward progress with SEPs?
Regards,
Ivan
ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org
on behalf of trey.darley@cert.be> wrote:
Hey, Alexandre -
According to Jamie Clark, the problem is not copyright but patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license on
their
contribution and that the only approved license which covers both
copyright and patent protection is Apache-2.0. But ianal, so I
will
defer to Jamie.
Cheers,
Trey
On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
>
> Thank you for the notification.
>
> A small question, what's the reasoning of the use of the Apache-2.0
license
> instead of the BSD-3 license for such external contribution?
Especially that
> BSD-3 is an approved licensed for the TC[1] and the TC is
operates under
> the Non-Assertion Mode which doesn't impose a specific open
source license
> beside the ones approved for the open repositories. Do I miss
something
> more fundamental?
>
> Cheers
>
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
>
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs Open
Repository license from BSD-3 to Apache-2.0
>
> Hi, y'all -
>
> When I made the initial motion to open the OASIS Open Repository
for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
> without thinking about it due to the fact that all of the
other CTI TC
> OASIS Open Repositories used BSD-3.
>
> Turns out this was a mistake. If we as a TC ever decide we
want to
> pull some elements developed on the SEPs GitHub repository
into a
> future revision of the specifications (which is kind of the
point of
> SEPs), we need all SEPs contributions to be Apache2-licensed
so that
> the same IPR TC protections for normal committee spec development
to
> apply.
>
> This was discussed at the San Jose F2F and there was unanimity
that we
> should just make this license change. Meanwhile, I've been
crazy busy
> and this task has lingered on my todo list.
>
> I am in no way suggesting that the STIX Enhancement Proposal
workflow
> process as currently defined in the GitHub repo is final.
We have
> violent unanimity that we as a TC *need* SEPs but there are
still a
> few key open questions we need to settle before we can say
that SEPs
> is ready to be codified in the TC specs.
>
> We have a lot of work in progress and a clear roadmap. I am
in no way
> trying to sidetrack the TC by reopening the wider SEPs discussion
> at this time. But there are a number of open pull-requests
which would
> be quite interesting to have as contributions to the CTI TC
(for
> example, Caitlin's proposal for an ACH SDO and an SCO for
representing
> Windows Event Logs), plus some other contributions I have
heard about
> privately which are pending the license change. If people
are doing
> good work on the side and happy to contribute it for the TC's
> consideration, then as a TC we should enable that.
>
> Therefore, I would like to request a seven day call for objections
to
> changing the license for the OASIS Open Repository for STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
>
> If there are no objections, then I will work together with
Chet and
> Scott at OASIS to ensure that proper protocol is followed
to ensure
> that all SEPs contributors whose pull-requests Ivan and I
already
> accepted are brought under the new licensing terms and I will
request
> that currently pending pull-requests be reissued under the
Apache 2.0
> license, giving us a clear path forward.
>
> Sorry about the long-winded mail, but IPR is complicated and
vitally
> important to our work as a TC. Thank you for your time. ^_^
>
> [1]: https://github.com/oasis-open/cti-sep-repository
>
> --
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> --
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
> --
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
> Contact: https://www.cert.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]