search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
537 stars 202 forks source link

RFC: Specify a license for vulnerablecode Data #277

Closed DennisClark closed 2 years ago

DennisClark commented 3 years ago

We need to specify a license for vulnerablecode Data. Workable candidates include:

cdla-permissive-1.0 https://cdla.io/permissive-1-0/ https://spdx.org/licenses/CDLA-Permissive-1.0.html

and

cc-by-4.0 http://creativecommons.org/licenses/by/4.0/legalcode https://spdx.org/licenses/CC-BY-4.0.html

Both licenses are also in the scancode list.

DennisClark commented 3 years ago

@pombredanne Regarding the overly complex aspect of the cdla-permissive-1.0 license text that you were concerned about, I did a quick comparison between the texts of it and cc-by-4.0, and discovered that the amount text in cdla-permissive-1.0 is roughly 60% of the amount of text in cc-by-4.0. So maybe one is still easier to read and understand than the other, but cc-by-4.0 is definitely way more verbose.

As before, I see it as a coin toss, and if you still prefer cc-by-4.0, that's ok with me.

DennisClark commented 3 years ago

@pombredanne I did find, I think, a substantive difference between the two licenses. cc-by-4.0 contains the following statement:

1 Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:

whereas the other license has

3.2. You may provide additional or different license terms and conditions for use, reproduction, or distribution of that Enhanced Data, or for any combination of Data and Enhanced Data as a whole, provided that Your Use and Publication of that combined Data otherwise complies with the conditions stated in this License.

Which tells me that if we want to prevent any sublicensing (and I'm not at all sure if we do, and have no opinion on that) then we might want to use cc-by-4.0; otherwise, the cdla-permissive-1.0 is less restricted and more "free" with the main emphasis being on attribution.

pombredanne commented 3 years ago

@DennisClark Thank you ++

Some extra considerations as we are integrating other data:

So our license would be IMHO for:

pombredanne commented 3 years ago

Here is what I think makes the most sense:

  1. overall data (including any future curations) is licensed CC-BY-4.0 ... this is AFAIK compatible with all licenses supported datasources (and several use this license)
  2. we track each data source licenses
pombredanne commented 2 years ago

Old notice is :

# Copyright (c) nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
#  Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
#  VulnerableCode should be considered or used as legal advice. Consult an Attorney
#  for any legal advice.
#  VulnerableCode is a free software code scanning tool from nexB Inc. and others.
#  Visit https://github.com/nexB/vulnerablecode/ for support and download.

Here is the proposed new notice with the CC-BY-4.0 license:

Copyright (c) nexB Inc. and others. All rights reserved.
VulnerableCode is a trademark of nexB Inc.

SPDX-License-Identifier: Apache-2.0 AND CC-BY-4.0

VulnerableCode software is licensed under the Apache License version 2.0.
VulnerableCode data is licensed collectively under CC-BY-4.0.

See https://www.apache.org/licenses/LICENSE-2.0 for the Apache-2.0 license text.
See https://creativecommons.org/licenses/by/4.0/legalcode for the CC-BY-4.0 license text.

See https://github.com/nexB/vulnerablecode for support or download. 
See https://aboutcode.org for more information about nexB OSS projects
pombredanne commented 2 years ago

@sbs2001 @Hritik14 @tardyp @haikoschol @kartiksibal @rolfschr @tushar912 ping! Any feedback?

pombredanne commented 2 years ago

Actually since we have data that is CC-BY-SA the minimal shared common denominator for the data is going to be CC-BY-SA and not CC-BY.

pombredanne commented 2 years ago

For background, Alpine, gentoo, victims, Alma and vulncode among others are using the CC-BY-SA license for their data.

So I am going to apply this to the code:

#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/nexB/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#

And have this in the top level notice:

#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
# VulnerableCode software is licensed under the Apache License version 2.0.
# VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
# See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
# 
# See https://github.com/nexB/vulnerablecode for support or download. 
# See https://aboutcode.org for more information about nexB OSS projects.
#

And this in the UI:

VulnerableCode is free software by nexB Inc. and others. 
The source code is licensed under Apache 2.0. The data is licensed under CC-BY-SA-4.0.
pombredanne commented 2 years ago

This has been merged.