Skip to content

RFC: Specify a license for vulnerablecode Data #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DennisClark opened this issue Nov 18, 2020 · 9 comments
Closed

RFC: Specify a license for vulnerablecode Data #277

DennisClark opened this issue Nov 18, 2020 · 9 comments
Assignees
@pombredanne @DennisClark
Labels
documentation Everything about documentation Priority: high
Milestone
v30.0

Comments

@DennisClark
Copy link
Member

We need to specify a license for vulnerablecode Data. Workable candidates include:

cdla-permissive-1.0
https://cdla.io/permissive-1-0/
https://spdx.org/licenses/CDLA-Permissive-1.0.html

and

cc-by-4.0
http://creativecommons.org/licenses/by/4.0/legalcode
https://spdx.org/licenses/CC-BY-4.0.html

Both licenses are also in the scancode list.
@DennisClark
Copy link
Member Author

@pombredanne Regarding the overly complex aspect of the cdla-permissive-1.0 license text that you were concerned about, I did a quick comparison between the texts of it and cc-by-4.0, and discovered that the amount text in cdla-permissive-1.0 is roughly 60% of the amount of text in cc-by-4.0. So maybe one is still easier to read and understand than the other, but cc-by-4.0 is definitely way more verbose.

As before, I see it as a coin toss, and if you still prefer cc-by-4.0, that's ok with me.

@DennisClark
Copy link
Member Author

DennisClark commented Nov 19, 2020
edited by pombredanne
Loading

@pombredanne I did find, I think, a substantive difference between the two licenses. cc-by-4.0 contains the following statement:

1 Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:

whereas the other license has

3.2. You may provide additional or different license terms and conditions for use, reproduction, or distribution of that Enhanced Data, or for any combination of Data and Enhanced Data as a whole, provided that Your Use and Publication of that combined Data otherwise complies with the conditions stated in this License.

Which tells me that if we want to prevent any sublicensing (and I'm not at all sure if we do, and have no opinion on that) then we might want to use cc-by-4.0; otherwise, the cdla-permissive-1.0 is less restricted and more "free" with the main emphasis being on attribution.

@pombredanne
Copy link
Member

@DennisClark Thank you ++

Some extra considerations as we are integrating other data:

So our license would be IMHO for:

  • the overall collection
  • the additions and updates we are doing

@pombredanne pombredanne mentioned this issue Nov 20, 2020
Closed
@pombredanne
Copy link
Member

Here is what I think makes the most sense:

  1. overall data (including any future curations) is licensed CC-BY-4.0 ... this is AFAIK compatible with all licenses supported datasources (and several use this license)
  2. we track each data source licenses

@pombredanne pombredanne mentioned this issue Aug 13, 2021
Merged
9 tasks
@pombredanne pombredanne added the documentation Everything about documentation label Jan 24, 2022
@pombredanne pombredanne changed the title Specify a license for vulnerablecode Data RFC: Specify a license for vulnerablecode Data Jan 29, 2022
@pombredanne
Copy link
Member

pombredanne commented Jan 29, 2022
edited
Loading

Old notice is :

# Copyright (c) nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
#  Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
#  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
#  VulnerableCode should be considered or used as legal advice. Consult an Attorney
#  for any legal advice.
#  VulnerableCode is a free software code scanning tool from nexB Inc. and others.
#  Visit https://github.com/nexB/vulnerablecode/ for support and download.

Here is the proposed new notice with the CC-BY-4.0 license:

Copyright (c) nexB Inc. and others. All rights reserved.
VulnerableCode is a trademark of nexB Inc.

SPDX-License-Identifier: Apache-2.0 AND CC-BY-4.0

VulnerableCode software is licensed under the Apache License version 2.0.
VulnerableCode data is licensed collectively under CC-BY-4.0.

See https://www.apache.org/licenses/LICENSE-2.0 for the Apache-2.0 license text.
See https://creativecommons.org/licenses/by/4.0/legalcode for the CC-BY-4.0 license text.

See https://github.com/nexB/vulnerablecode for support or download. 
See https://aboutcode.org for more information about nexB OSS projects

@pombredanne
Copy link
Member

pombredanne commented Jan 29, 2022
edited
Loading

@sbs2001 @Hritik14 @tardyp @haikoschol @kartiksibal @rolfschr @tushar912 ping! Any feedback?

@pombredanne pombredanne added this to the v30.0 milestone Feb 2, 2022
@pombredanne
Copy link
Member

Actually since we have data that is CC-BY-SA the minimal shared common denominator for the data is going to be CC-BY-SA and not CC-BY.

@pombredanne
Copy link
Member

For background, Alpine, gentoo, victims, Alma and vulncode among others are using the CC-BY-SA license for their data.

So I am going to apply this to the code:

#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/nexB/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#

And have this in the top level notice:

#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
# VulnerableCode software is licensed under the Apache License version 2.0.
# VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
# See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
# 
# See https://github.com/nexB/vulnerablecode for support or download. 
# See https://aboutcode.org for more information about nexB OSS projects.
#

And this in the UI:

VulnerableCode is free software by nexB Inc. and others. 
The source code is licensed under Apache 2.0. The data is licensed under CC-BY-SA-4.0.

pombredanne added a commit that referenced this issue Jun 17, 2022
@pombredanne
Add new NOTICE #277
c7d9dba 
Signed-off-by: Philippe Ombredanne <[email protected]>
pombredanne added a commit that referenced this issue Jun 17, 2022
@pombredanne
Add license badges #277
5c50e84 
Signed-off-by: Philippe Ombredanne <[email protected]>
pombredanne added a commit that referenced this issue Jun 17, 2022
@pombredanne
Add streamlined Apache license notice #277
b2b8269 
Signed-off-by: Philippe Ombredanne <[email protected]>
pombredanne added a commit that referenced this issue Jun 17, 2022
@pombredanne
Add notice to web pages #277
8baecf6 
This is the combined Apache and CC-BY-SA notice

Signed-off-by: Philippe Ombredanne <[email protected]>
@pombredanne
Copy link
Member

This has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pombredanne pombredanne

@DennisClark DennisClark

Labels
documentation Everything about documentation Priority: high
Projects
None yet
Milestone
v30.0
Development

No branches or pull requests
2 participants
@pombredanne @DennisClark