[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
|
Jason,
You are correct that at the last F2F we talked about SEPs, a lot actually. But at the end, we also talked about just life-boating SEPs out of 2.1 since we could not get agreement on how they should work and spending the time needed to figure them out would just delay STIX 2.1. Everyone at the F2F has agreed that the changes to cyber observables / malware / and infrastructure was far more important. I believe this was talked about at the working call and full TC meetings post F2F.
Fast Forward a bit.
For the last 15 weeks we have been executing our work based on the Project Plan we all worked on at the end of February. Every working call since we review the items on this list and ask for comments or concerns with this project plan. This project plan lists everything that we need to do to get a CS out the door. Since we created this 15 weeks ago, SEPs have not been on that project plan and no one has brought that up, until now.
If the TC has a whole wants to add SEPs in to 2.1, then the TC can make that decision. But as of right now it is not on the project plan for 2.1.
As a chair I would ask that before this is scheduled for a working call, that a proposal be created that addresses all of the concerns that were raised at the last F2F.
We need to stay focused on getting 2.1 out the door. If SEPs get added back, it would be after Working Draft 05 and would probably need to be in a Working Draft 06. While our original plan was to have Working Draft 05 be the semi-final version, if the TC decides, we can change that.
Bret
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 4:49:40 PM To: Bret Jordan Cc: OASIS CTI TC list; Kirillov, Ivan A. Subject: Re: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0 Brett- Respectfully, I disagree with that characterization of the state of affairs.
There was a fairly robust SEP proposal brought to the TC, and discussed at length at the January F2F led by Trey. It was actually the #1 item on that agenda. The TC as a whole decided to delay the discussion of SEPs until the top-level-SCO mini group was disbanded and that work merged into the document, because the view was that we had to focus on one thing at a time. Now that that has transpired, the SEP discussion should be finalized. If that means another mini group then fine, but It was never pulled from the 2.1 agenda. It was actually the #1 thing on the list of "Whats in 2.1" at the F2F. - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure." - Thomas J. Watson From: Bret Jordan <Bret_Jordan@symantec.com> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Kirillov, Ivan A." <ikirillov@mitre.org> Cc: OASIS CTI TC list <cti@lists.oasis-open.org> Date: 06/07/2019 01:48 PM Subject: [EXTERNAL] Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0 Sent by: <cti@lists.oasis-open.org> Jason, I am more than willing to get SEPs on the agenda for an upcoming working call, once a full and complete proposal is put forth that addresses the concerns that have been previously discussed. To this date, no one has done that work. Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com> Sent: Friday, June 7, 2019 10:15:36 AM To: Kirillov, Ivan A. Cc: OASIS CTI TC list Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0 Agreed, can we move fwd with this, and also the necessary work to add SEP to STIX 2.1? SEP in 2.1 is a vote blocking issue for me. There are far too many "hanging chads" in STIX to be able to support a 2.1 without SEP because we need SEP to move those fwd in the industry. - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure." - Thomas J. Watson From: "Kirillov, Ivan A." <ikirillov@mitre.org> To: OASIS CTI TC list <cti@lists.oasis-open.org> Date: 06/07/2019 12:33 PM Subject: [EXTERNAL] [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0 Sent by: <cti@lists.oasis-open.org> All, Where do we stand on this? Can we just swap the license to Apache 2.0 so that we can continue making forward progress with SEPs? Regards, Ivan ïOn 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org on behalf of trey.darley@cert.be> wrote: Hey, Alexandre - According to Jamie Clark, the problem is not copyright but patent protection. According to Jamie, someone contributing to the cti-sep-repo under BSD-3 is not giving OASIS a patent license on their contribution and that the only approved license which covers both copyright and patent protection is Apache-2.0. But ianal, so I will defer to Jamie. Cheers, Trey On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote: > Hi Trey, > > Thank you for the notification. > > A small question, what's the reasoning of the use of the Apache-2.0 license > instead of the BSD-3 license for such external contribution? Especially that > BSD-3 is an approved licensed for the TC[1] and the TC is operates under > the Non-Assertion Mode which doesn't impose a specific open source license > beside the ones approved for the open repositories. Do I miss something > more fundamental? > > Cheers > > [1] https://www.oasis-open.org/resources/open-repositories/licenses > > ----- Original Message ----- > From: "Darley Trey" <trey.darley@cert.be> > To: "OASIS CTI TC list" <cti@lists.oasis-open.org> > Sent: Wednesday, 10 April, 2019 14:38:54 > Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0 > > Hi, y'all - > > When I made the initial motion to open the OASIS Open Repository for > STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license > without thinking about it due to the fact that all of the other CTI TC > OASIS Open Repositories used BSD-3. > > Turns out this was a mistake. If we as a TC ever decide we want to > pull some elements developed on the SEPs GitHub repository into a > future revision of the specifications (which is kind of the point of > SEPs), we need all SEPs contributions to be Apache2-licensed so that > the same IPR TC protections for normal committee spec development to > apply. > > This was discussed at the San Jose F2F and there was unanimity that we > should just make this license change. Meanwhile, I've been crazy busy > and this task has lingered on my todo list. > > I am in no way suggesting that the STIX Enhancement Proposal workflow > process as currently defined in the GitHub repo is final. We have > violent unanimity that we as a TC *need* SEPs but there are still a > few key open questions we need to settle before we can say that SEPs > is ready to be codified in the TC specs. > > We have a lot of work in progress and a clear roadmap. I am in no way > trying to sidetrack the TC by reopening the wider SEPs discussion > at this time. But there are a number of open pull-requests which would > be quite interesting to have as contributions to the CTI TC (for > example, Caitlin's proposal for an ACH SDO and an SCO for representing > Windows Event Logs), plus some other contributions I have heard about > privately which are pending the license change. If people are doing > good work on the side and happy to contribute it for the TC's > consideration, then as a TC we should enable that. > > Therefore, I would like to request a seven day call for objections to > changing the license for the OASIS Open Repository for STIX > Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0. > > If there are no objections, then I will work together with Chet and > Scott at OASIS to ensure that proper protocol is followed to ensure > that all SEPs contributors whose pull-requests Ivan and I already > accepted are brought under the new licensing terms and I will request > that currently pending pull-requests be reissued under the Apache 2.0 > license, giving us a clear path forward. > > Sorry about the long-winded mail, but IPR is complicated and vitally > important to our work as a TC. Thank you for your time. ^_^ > > [1]: https://github.com/oasis-open/cti-sep-repository > > -- > Cheers, > Trey Darley > OASIS CTI TC Co-Chair > Cyber Security Expert - CTI Strategist > -- > CERT.be > Centre for Cyber Security Belgium > Mail: trey.darley@cert.be > GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E > -- > Under the authority of the Prime Minister > Wetstraat 16 - 1000 Brussels - Belgium > Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium > Contact: https://www.cert.be -- CERT.be Centre for Cyber Security Belgium Mail: trey.darley@cert.be GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E -- Under the authority of the Prime Minister Wetstraat 16 - 1000 Brussels - Belgium Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium Contact: https://www.cert.be |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]