30 Mar
2023
30 Mar
'23
5:39 p.m.
Hi Olle,
sure. What some people are doing is to list the common licence (e.g., GPLv2 or later)
prominently like in the help output etc.., and then provide a pointer to a file that
includes all the details, like the Debian copyright file discussed earlier. This is the
description about that information, its machine readable (I was not aware of that):
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Cheers,
Henning
-----Original Message-----
From: Olle E. Johansson <oej(a)edvina.net>
Sent: Donnerstag, 30. März 2023 13:19
To: Henning Westerholt <hw(a)gilawa.com>
Cc: Kamailio (SER) - Development Mailing List <sr-dev(a)lists.kamailio.org>
Subject: Re: [sr-dev] Debian SBOM for kamailio
On 30 Mar 2023, at 12:51, Henning Westerholt
<hw(a)gilawa.com> wrote:
Hi Olle,
a compiler does not magically change the licence just by processing the source code and
producing binary code.
That would be an easy solution to many licencing issues. 😉
No but when it combines a lot of source code and some of it is GPL, then the output
is affected. That’s when the stickyness of the GPL license applies and the combined
software - including modules - all run under the GPL license regardless of what license
the source code as text had.
The copyright remains exactly the same though.
Its like e.g., a translation of a book. You can not claim that you own the copyright of a
book by simple translating it.
I do understand that. I do not understand why your adding that example in this
discussion though. You’re mixing copyright and the license to use the copyrighted work.
/O
Cheers,
Henning
-----Original Message-----
From: Olle E. Johansson <oej(a)edvina.net>
Sent: Donnerstag, 30. März 2023 11:11
To: Henning Westerholt <hw(a)gilawa.com>
Cc: Kamailio (SER) - Development Mailing List
<sr-dev(a)lists.kamailio.org>
Subject: Re: [sr-dev] Debian SBOM for kamailio
On 30 Mar 2023, at 11:00, Henning Westerholt
<hw(a)gilawa.com> wrote:
Hello Olle,
IMHO the Debian way is correct. This is also the way companies are doing it, some
examples:
https://www.mbvans.com/en/legal-notices/foss-disclosure
https://oss.bosch-cm.com/gm.html (click at one of the links for the
licence terms for a huge PDF)
I would say for a -sources package this is correct, but I don’t really agree that
it’s correct for the binary package.
The only way to "fix" this would be to rewrite the respective parts of the code
and then put it under another licence, or ask the original author(s) for permission to
re-licence.
You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or
later, as clearly indicated in the first section of the copyright file.
I know, but reading the output can confuse people that we have a multi-license
distribution of Kamailio, which we clearly have not.
/O
Cheers,
Henning
-----Original Message-----
From: Olle E. Johansson <oej(a)edvina.net>
Sent: Donnerstag, 30. März 2023 10:45
To: Kamailio (SER) - Development Mailing List
<sr-dev(a)lists.kamailio.org>
Subject: [sr-dev] Re: Debian SBOM for kamailio
On 29 Mar 2023, at 16:48, Victor Seva
<linuxmaniac(a)torreviejawireless.org> wrote:
Signed PGP part
Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
Ok, so that’s where it came from. The thing is that as you create a package of
Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the
source file.
Should we really list all those license in the package as it seems strange for a software
package to have multiple licenses. It’s not that users can select which license they use
Kamailio under.
I think this is more confusing and as these kind of tools become more
used, the confusion will be even bigger. Suddenly we have someone
distributing Kamailio under BSD license since they belived they had a
choice…
/O
Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed
from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the
debian package names, which is incorrect I will try with a newer system, like Debian
Bullseye.
My question is if we can fix this somehow by modifying meta data in our packages.
the information of licenses in packaging is at debian/copyright [0]
[0]
https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/de
b
i
an/copyright