search

OpenC2-org / openc2-working-group

The Open Command and Control Forum promotes the global development and adoption of the OpenC2 language and reference material.
Other
1 stars 0 forks source link

Should license information be included #13

Closed sparrell closed 8 years ago

sparrell commented 8 years ago

PROBLEM

There is software in this repository that does not contain license information. Is it 'open source'? Or is it 'proprietary'? A very specific problem I have is I don't know if I'm 'allowed' to clone the python code at https://github.com/OpenC2-org/openc2-working-group/blob/master/working/dod/codec.py into a 'public' repository and use it to make my own reference implementation.

POTENTIAL SOLUTION

At the beginning of each file include something referencing which licensing model. Ideally they would say:

%%% Copyright "author"

%%% Redistribution and use in source and binary forms, with or without
%%% modification, are permitted provided that the following conditions are
%%% met:
%%%
%%% * Redistributions of source code must retain the above copyright
%%%   notice, this list of conditions and the following disclaimer.
%%%
%%% * Redistributions in binary form must reproduce the above copyright
%%%   notice, this list of conditions and the following disclaimer in the
%%%   documentation and/or other materials provided with the distribution.
%%%
%%% * The names of its contributors may not be used to endorse or promote
%%%   products derived from this software without specific prior written
%%%   permission.
%%%
%%% THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
%%% "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
%%% LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
%%% A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
%%% OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
%%% SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
%%% LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
%%% DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
%%% THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
%%% (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
%%% OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
%%%-------------------------------------------------------------------
jmbrule commented 8 years ago

You are absolutely correct, we need to have the open source lisc information included in a comment block within the code. To be quite frank with you, I am quite open wrt which open source license model we use. One of our colleagues suggested the Eclipse Public License - v 1.0 model, again, I don't have a strong preference. My primary concerns are: Don't sue the gov't for a ton of money if you find a bug in the code, don't charge us a royalty if we use the code. If someone wants to clone/ use it, then knock yourself out.

I am going to state point blank, if it is code that was produced by the MPO, then it will be open source licsense, don't sue us, we wont charge you a royalty, acknowledge the author of the code. I will reach out to the primary authors to get the licenses pasted in their code.

The matter that still needs to be resolved is, which open source liscense? Apache? BSD? Eclipse? Other?

sparrell commented 8 years ago

useful links in deciding:

The first gives some good parameters about choosing.

sparrell commented 8 years ago

I am not a lawyer but I'm not sure Eclipse meets your (and my) requirement "don't charge us a royalty if we use". Some of the websites imply it is weaker in this area. MIT is the most popular according to https://www.blackducksoftware.com/top-open-source-licenses and the most permissive according to http://choosealicense.com/ so I'd favor it. But I'm not sure all the large corporations would swallow that one.

One alternative would be each author/organization determines their own licensing of what they contribute and the only openC2 requirement be that it be an open source license on canonical OS list at https://opensource.org/licenses/index.html. This has drawback of being messy so ideally we'd all agree on a standard license.

jmbrule commented 8 years ago

The alternative of allowing each author to determine their own licensing is tempting in that it will be the most flexible and should make it easiest for our contributors. Our Membership agreement (which is still wallowing in the lawyers shop) does have IPR protections and terms of submissions in it, so will minimize the 'messiness' concerns. Having said that, I think the Apache license has a nice balance and hope that we can get all of our contributors to agree they can live with it. Still quite open, but leaves our industry members some room if they want to add their own features and distinguish their products in the marketplace.

jordan2175 commented 8 years ago

The Apache 2 license seems, IMHO, to be a good option.

Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Sep 7, 2016, at 11:43, Joe Brule notifications@github.com wrote:

The alternative of allowing each author to determine their own licensing is tempting in that it will be the most flexible and should make it easiest for our contributors. Our Membership agreement (which is still wallowing in the lawyers shop) does have IPR protections and terms of submissions in it, so will minimize the 'messiness' concerns. Having said that, I think the Apache license has a nice balance and hope that we can get all of our contributors to agree they can live with it. Still quite open, but leaves our industry members some room if they want to add their own features and distinguish their products in the marketplace.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OpenC2-org/openc2-working-group/issues/13#issuecomment-245360394, or mute the thread https://github.com/notifications/unsubscribe-auth/AJk2GFsqMEjp8NpYU9EiTK1gyWehKzc3ks5qnve8gaJpZM4Jz6dK.

romanojd commented 8 years ago

All software developed for this effort is considered "open source" and needs to contain an open source license statement. The recommended open source license is Apache, although other open source licenses could be used.

Per the discussion at the 2016-09-15 Forum Meeting, this issue is CLOSED.