30 Mar
2023
30 Mar
'23
11:44 a.m.
On 29 Mar 2023, at 16:48, Victor Seva
<linuxmaniac(a)torreviejawireless.org> wrote:
Signed PGP part
Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
Ok, so that’s where it came from. The thing is that as you create a package of
Kamailiio,
in my view it’s distributed under GPL v2, regardless of the license of the source file.
Should we really list all those license in the package as it seems strange for a software
package to have multiple licenses. It’s not that users can select
which license they use Kamailio under.
I think this is more confusing and as these kind of tools become more used,
the confusion will be even bigger. Suddenly we have someone distributing Kamailio under
BSD
license since they belived they had a choice…
/O
Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed
from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian package names, which
is incorrect
I will try with a newer system, like Debian Bullseye.
My question is if we can fix this somehow by modifying meta data in our packages.
the information of licenses in packaging is at debian/copyright [0]
[0] https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debian/co…