'[sr-dev] Re: Debian SBOM for kamailio'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openser-devel
Subject:    [sr-dev] Re: Debian SBOM for kamailio
From:       Henning Westerholt <hw () gilawa ! com>
Date:       2023-03-30 14:39:58
Message-ID: DB7PR07MB3882BCA6F4A9C24854A020C7BF8E9 () DB7PR07MB3882 ! eurprd07 ! prod ! outlook ! com
[Download RAW message or body]

Hi Olle,

sure. What some people are doing is to list the common licence (e.g., GPLv2 or later) \
prominently like in the help output etc.., and then provide a pointer to a file that \
includes all the details, like the Debian copyright file discussed earlier. This is \
the description about that information, its machine readable (I was not aware of \
that): https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/

Cheers,

Henning

-----Original Message-----
From: Olle E. Johansson <oej@edvina.net> 
Sent: Donnerstag, 30. März 2023 13:19
To: Henning Westerholt <hw@gilawa.com>
Cc: Kamailio (SER) - Development Mailing List <sr-dev@lists.kamailio.org>
Subject: Re: [sr-dev] Debian SBOM for kamailio



> On 30 Mar 2023, at 12:51, Henning Westerholt <hw@gilawa.com> wrote:
> 
> Hi Olle,
> 
> a compiler does not magically change the licence just by processing the source code \
> and producing binary code. That would be an easy solution to many licencing issues. \
> 😉
No but when it combines a lot of source code and some of it is GPL, then the output \
is affected. That's when the stickyness of the GPL license applies and the combined \
software - including modules - all run under the GPL license regardless of what \
license the source code as text had.

The copyright remains exactly the same though.
> 
> Its like e.g., a translation of a book. You can not claim that you own the \
> copyright of a book by simple translating it.
I do understand that. I do not understand why your adding that example in this \
discussion though. You're mixing copyright and the license to use the copyrighted \
work.

/O
> 
> Cheers,
> 
> Henning
> 
> 
> -----Original Message-----
> From: Olle E. Johansson <oej@edvina.net>
> Sent: Donnerstag, 30. März 2023 11:11
> To: Henning Westerholt <hw@gilawa.com>
> Cc: Kamailio (SER) - Development Mailing List 
> <sr-dev@lists.kamailio.org>
> Subject: Re: [sr-dev] Debian SBOM for kamailio
> 
> 
> 
> > On 30 Mar 2023, at 11:00, Henning Westerholt <hw@gilawa.com> wrote:
> > 
> > Hello Olle,
> > 
> > IMHO the Debian way is correct. This is also the way companies are doing it, some \
> > examples: https://www.mbvans.com/en/legal-notices/foss-disclosure
> > https://oss.bosch-cm.com/gm.html (click at one of the links for the 
> > licence terms for a huge PDF)
> I would say for a -sources package this is correct, but I don't really agree that \
> it's correct for the binary package. 
> > 
> > The only way to "fix" this would be to rewrite the respective parts of the code \
> > and then put it under another licence, or ask the original author(s) for \
> > permission to re-licence. 
> 
> > 
> > You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 \
> > or later, as clearly indicated in the first section of the copyright file. 
> I know, but reading the output can confuse people that we have a multi-license \
> distribution of Kamailio, which we clearly have not. 
> /O
> > 
> > Cheers,
> > 
> > Henning
> > 
> > -----Original Message-----
> > From: Olle E. Johansson <oej@edvina.net>
> > Sent: Donnerstag, 30. März 2023 10:45
> > To: Kamailio (SER) - Development Mailing List 
> > <sr-dev@lists.kamailio.org>
> > Subject: [sr-dev] Re: Debian SBOM for kamailio
> > 
> > 
> > 
> > > On 29 Mar 2023, at 16:48, Victor Seva <linuxmaniac@torreviejawireless.org> \
> > > wrote: 
> > > Signed PGP part
> > > Hi!
> > > 
> > > On 28/3/23 16:36, Olle E. Johansson wrote:
> > > > Hi!
> > > > Using the "syft" tool from Anchore I created an SBOM for a server with \
> > > > Kamailio installed from Debian. The result is quite interesting. Some notes:
> > > > - For each component (debian package) a list of licenses are made.
> > > > - The CPEs - filters for matching with NVD - are based on the 
> > > > debian package names, which is incorrect I will try with a newer system, like \
> > > > Debian Bullseye. My question is if we can fix this somehow by modifying meta \
> > > > data in our packages.
> > > the information of licenses in packaging is at debian/copyright [0]
> > > 
> > > [0]
> > > https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/de
> > > b
> > > i
> > > an/copyright
> > > 
> > Ok, so that's where it came from. The thing is that as you create a package of \
> > Kamailiio, in my view it's distributed under GPL v2, regardless of the license of \
> > the source file. 
> > Should we really list all those license in the package as it seems strange for a \
> > software package to have multiple licenses. It's not that users can select which \
> > license they use Kamailio under. 
> > I think this is more confusing and as these kind of tools become more 
> > used, the confusion will be even bigger. Suddenly we have someone 
> > distributing Kamailio under BSD license since they belived they had a 
> > choice…
> > 
> > /O
> 

_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-leave@lists.kamailio.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic