HANDBOOK: Prescribe OSS licenses

[stevespringett]

Some OSI licenses are anti-business or may lead to unintended legal requirements to disclose IP based on a deployments configuration. We should be prescriptive in the licenses we will accept.

[hblankenship]

I will leave this to the discussion of the committee; traditionally, 'any OSI-approved license' was the text. I am happy to change it, if we think it needs to change....

[hblankenship]

No further discussion around 'Any OSI-approved license'?

[stevespringett]

Only supporting OSI approved licenses turned out to be an issue in itself. See https://github.com/OWASP/www-policy/pull/133

IMO, the project committee should prescribe what types of licenses they prefer. I would highly recommend permissive licenses such as Apache 2.0, BSD, and MIT.

Many developers (future OWASP project leaders) will not know the nuances of the various licenses and will likely choose a license they've heard of or have used before without truly understanding its limitations or obligations. In some cases, the choice of license may limit the adoption of a project. For example, if a library choose to use the GPLv3, it will have very limited adoption in any commercial tools. This happened to Jeremy Long on the Dependency-Check project. See https://github.com/jeremylong/DependencyCheck/commits/main/LICENSE.txt. The handbook should provide this level of guidance. At the same time, there may be cases where a commercial entity is donating a project to OWASP and they absolutely want to use a copyleft license such as the GPL as it requires certain obligations of potential competitors.

I would however, limit the choice of licenses to a dozen or less. I would recommend any other license choice to be evaluated to OWASP Counsil.