Closed mmarseu closed 5 months ago
Should we really use CC here? Though it is compatible with all versions of GPL, according to gnu it should not be used for software.
If you can find another license that applies to this data, I'm all for it. I just wasn't able so CC is the only option I could find.
If it was us who selected a license for one of our pieces of software, I'd say we follow GNU's recommendation. But in this case, its somebody else who decided and we have to live with that.
I've added a NOTICE file to #160 which hopefully should fulfil our obligations resulting from the Apache-2.0 license and CC-BY-3.0. I was too lazy to create a separate PR for this, although that could definitely be done, if #160 will take too long to merge.
Ah, irony is beautiful 😆
There we went and copied raw data about licenses from other open-source projects and neglected to make sure we follow their license conditions.
cdxev/amend/license_name_spdx_id_map.json
is largely based off of https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json which is licensed under Apache-2.0.We also incorporated additional license names and ids from SPDX. Since the raw data that the site is based on - equally ironically - doesn't specify a license, I'd say we refer to the license of the website which is copyrighted by The Linux Foundation and under CC-BY-3.0.