This doesn’t seem like the first time different people have remembered different outcomes from the same F2F. I don’t doubt that an agreement was made to wait on SEPs, but I couldn’t find where this consensus was tracked on the mailing
list or in meeting notes, and there is no issue in the GitHub tracker for SEPs. I don’t think this question would have come up right now if the current status was tracked more clearly.
For the low-hanging fruit of just changing the license, only Trey, Ivan, and Chet have commits attributed to them in the repository. There are pull requests from others but they haven’t been merged in yet, so maybe we can change the license
and then ask if they’re still okay with it.
Chris Lenk
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of Sean Barnum
Sent: Friday, June 7, 2019 11:35 PM
To: Bret Jordan <Bret_Jordan@symantec.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: OASIS CTI TC list <cti@lists.oasis-open.org>; Kirillov, Ivan A. <ikirillov@mitre.org>
Subject: Re: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
I agree with Bret.
SEPs were discussed at length at the F2F including several significant issues raised with the current proposal that after much discussion and debate we were not able to reach any sort of consensus on a solution that worked.
Part of this discussion was on the last day not long before the f2f ended and, as Bret said, the agreement was to push it out past 2.1 when we had time to explore potential solutions and not slow things down.
While I would love to have a working solution for SEPs ASAP, I would not support reopening this can of worms for 2.1.
Jason,
You are correct that at the last F2F we talked about SEPs, a lot actually. But at the end, we also talked about just life-boating SEPs out of 2.1 since we could not get agreement on how they should work and spending
the time needed to figure them out would just delay STIX 2.1. Everyone at the F2F has agreed that the changes to cyber observables / malware / and infrastructure was far more important. I believe this was talked about at the working call and full TC meetings
post F2F.
Fast Forward a bit.
For the last 15 weeks we have been executing our work based on the Project Plan we all worked on at the end of February. Every working call since we review the items on this list and ask for comments or concerns
with this project plan. This project plan lists everything that we need to do to get a CS out the door. Since we created this 15 weeks ago, SEPs have not been on that project plan and no one has brought that up, until now.
If the TC has a whole wants to add SEPs in to 2.1, then the TC can make that decision. But as of right now it is not on the project plan for 2.1.
As a chair I would ask that before this is scheduled for a working call, that a proposal be created that addresses all of the concerns that were raised at the last F2F.
We need to stay focused on getting 2.1 out the door. If SEPs get added back, it would be after Working Draft 05 and would probably need to be in a Working Draft 06. While our original plan was to have Working
Draft 05 be the semi-final version, if the TC decides, we can change that.
Bret
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 4:49:40 PM
To: Bret Jordan
Cc: OASIS CTI TC list; Kirillov, Ivan A.
Subject: Re: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Brett- Respectfully, I disagree with that characterization of the state of affairs.
There was a fairly robust SEP proposal brought to the TC, and discussed at length at the January F2F led by Trey. It was actually the #1 item on that agenda.
The TC as a whole decided to delay the discussion of SEPs until the top-level-SCO mini group was disbanded and that work merged into the document, because the view was that we had to focus on one
thing at a time.
Now that that has transpired, the SEP discussion should be finalized. If that means another mini group then fine, but It was never pulled from the 2.1 agenda. It was actually the #1 thing on the
list of "Whats in 2.1" at the F2F.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: Bret Jordan <Bret_Jordan@symantec.com>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Kirillov,
Ivan A." <ikirillov@mitre.org>
Cc: OASIS CTI TC list <cti@lists.oasis-open.org>
Date: 06/07/2019 01:48 PM
Subject: [EXTERNAL] Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository
license from BSD-3 to Apache-2.0
Sent by: <cti@lists.oasis-open.org>
Jason,
I am more than willing to get SEPs on the agenda for an upcoming working call, once a full and complete proposal is put forth that addresses the concerns that have been previously discussed.
To this date, no one has done that work.
Bret
From:
cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, June 7, 2019 10:15:36 AM
To: Kirillov, Ivan A.
Cc: OASIS CTI TC list
Subject: Re: [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Agreed, can we move fwd with this, and also the necessary work to add SEP to STIX 2.1?
SEP in 2.1 is a vote blocking issue for me. There are far too many "hanging chads" in STIX to be able to support a 2.1 without SEP because we need SEP to move those fwd in the industry.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: OASIS CTI TC list <cti@lists.oasis-open.org>
Date: 06/07/2019 12:33 PM
Subject: [EXTERNAL] [cti] Re: [EXT] Re: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
Sent by: <cti@lists.oasis-open.org>
All,
Where do we stand on this? Can we just swap the license to Apache 2.0 so that we can continue making forward progress with SEPs?
Regards,
Ivan
On 4/10/19, 7:20 AM, "Darley Trey" <cti@lists.oasis-open.org on behalf of trey.darley@cert.be> wrote:
Hey, Alexandre -
According to Jamie Clark, the problem is not copyright but patent
protection. According to Jamie, someone contributing to the
cti-sep-repo under BSD-3 is not giving OASIS a patent license on their
contribution and that the only approved license which covers both
copyright and patent protection is Apache-2.0. But ianal, so I will
defer to Jamie.
Cheers,
Trey
On 10.04.2019 15:02:48, Alexandre Dulaunoy wrote:
> Hi Trey,
>
> Thank you for the notification.
>
> A small question, what's the reasoning of the use of the Apache-2.0 license
> instead of the BSD-3 license for such external contribution? Especially that
> BSD-3 is an approved licensed for the TC[1] and the TC is operates under
> the Non-Assertion Mode which doesn't impose a specific open source license
> beside the ones approved for the open repositories. Do I miss something
> more fundamental?
>
> Cheers
>
> [1] https://www.oasis-open.org/resources/open-repositories/licenses
>
> ----- Original Message -----
> From: "Darley Trey" <trey.darley@cert.be>
> To: "OASIS CTI TC list" <cti@lists.oasis-open.org>
> Sent: Wednesday, 10 April, 2019 14:38:54
> Subject: [cti] Call for objections to changing the SEPs Open Repository license from BSD-3 to Apache-2.0
>
> Hi, y'all -
>
> When I made the initial motion to open the OASIS Open Repository for
> STIX Enhancement Proposals (SEPs) [1], I chose the BSD-3 license
> without thinking about it due to the fact that all of the other CTI TC
> OASIS Open Repositories used BSD-3.
>
> Turns out this was a mistake. If we as a TC ever decide we want to
> pull some elements developed on the SEPs GitHub repository into a
> future revision of the specifications (which is kind of the point of
> SEPs), we need all SEPs contributions to be Apache2-licensed so that
> the same IPR TC protections for normal committee spec development to
> apply.
>
> This was discussed at the San Jose F2F and there was unanimity that we
> should just make this license change. Meanwhile, I've been crazy busy
> and this task has lingered on my todo list.
>
> I am in no way suggesting that the STIX Enhancement Proposal workflow
> process as currently defined in the GitHub repo is final. We have
> violent unanimity that we as a TC *need* SEPs but there are still a
> few key open questions we need to settle before we can say that SEPs
> is ready to be codified in the TC specs.
>
> We have a lot of work in progress and a clear roadmap. I am in no way
> trying to sidetrack the TC by reopening the wider SEPs discussion
> at this time. But there are a number of open pull-requests which would
> be quite interesting to have as contributions to the CTI TC (for
> example, Caitlin's proposal for an ACH SDO and an SCO for representing
> Windows Event Logs), plus some other contributions I have heard about
> privately which are pending the license change. If people are doing
> good work on the side and happy to contribute it for the TC's
> consideration, then as a TC we should enable that.
>
> Therefore, I would like to request a seven day call for objections to
> changing the license for the OASIS Open Repository for STIX
> Enhancement Proposals (SEPs) [1] from BSD-3 to Apache 2.0.
>
> If there are no objections, then I will work together with Chet and
> Scott at OASIS to ensure that proper protocol is followed to ensure
> that all SEPs contributors whose pull-requests Ivan and I already
> accepted are brought under the new licensing terms and I will request
> that currently pending pull-requests be reissued under the Apache 2.0
> license, giving us a clear path forward.
>
> Sorry about the long-winded mail, but IPR is complicated and vitally
> important to our work as a TC. Thank you for your time. ^_^
>
> [1]: https://github.com/oasis-open/cti-sep-repository
>
> --
> Cheers,
> Trey Darley
> OASIS CTI TC Co-Chair
> Cyber Security Expert - CTI Strategist
> --
> CERT.be
> Centre for Cyber Security Belgium
> Mail: trey.darley@cert.be
> GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
> --
> Under the authority of the Prime Minister
> Wetstraat 16 - 1000 Brussels - Belgium
> Visiting address : Rue Ducale 4 – 1000 Brussels – Belgium
> Contact: https://www.cert.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 – 1000 Brussels – Belgium
Contact: https://www.cert.be
CAUTION: This email originated from outside of FireEye from a third party. Please take extra precaution clicking on any embedded links or downloading and opening file attachments. If you feel this is a suspicious email, please use the
‘Report Phishing’ button in your Outlook toolbar.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others
is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.