Add license and notice for ubuntu importer

TG1999 · TG1999 · commit ea4fb3b3f7ef · 2023-01-26T13:52:37.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/importers/ubuntu.py b/vulnerabilities/importers/ubuntu.py
@@ -19,8 +19,48 @@
 
 
 class UbuntuImporter(OvalImporter):
-    spdx_license_expression = "GPL"
-    license_url = "https://ubuntu.com/legal/terms"
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
+    notice = """
+    From: Seth Arnold <seth.arnold@canonical.com>
+    Date: Wed, Jan 25, 2023 at 2:02 AM
+    Subject: Re: [ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode
+    To: Tushar Goel <tushar.goel.dav@gmail.com>
+    Cc: <ubuntu-hardened@lists.ubuntu.com>, Philippe Ombredanne <pombredanne@nexb.com>, jmhoran@nexb.com <jmhoran@nexb.com>
+    
+    
+    On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote:
+    > We would like to integrate the Ubuntu usn data[1][2] and
+    > Ubuntu security data (OVAL format)[3] in vulnerablecode[4]
+    > which is a FOSS db of FOSS vulnerability data. We were not
+    > able to know under which license this security data comes.
+    > We would be grateful to have your acknowledgement over usage of
+    > the ubuntu security data in vulnerablecode and have
+    > some kind of licensing declaration from your side.
+    
+    Hello Tushar, we do not have an explicit license on this data.
+    
+    We share our data with the intention that others will use it. Please
+    feel free to use it for the general furtherance of security.
+    
+    Much of the data that's contained within our databases is sourced from
+    third parties, who also shared their data with the intention that others
+    will use it. I'm not sure what it would look like to try to put a license
+    on data that is crowd-sourced from thousands of contributors. (If you were
+    to start such a project today, it'd probably be one of the first things to
+    formalize. But when CVE was started two decades ago, the primary goal was
+    sharing knowledge and simplifying the vulnerability remediation process,
+    and licensing the data was, as far as I can remember, not considered.
+    Sharing was the goal.)
+    
+    I will ask that vulnerablecode 'be nice' to our infrastructure that
+    hosts the databases -- some automated uses of our infrastructure by
+    vulnerability scanner tools has lead to significant load and engineering
+    effort. In general, please prefer a small handful of systems updating
+    mirrors roughly twice a day rather than thousands of hosts pulling
+    data hourly.
+    
+    Thanks
+    """
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
