Hi Jarek,
On 5.02.2025 13:47, Jarek Potiuk wrote:
But VEX is a different thing. At some point of time VEX might be expected
as what "regulators" want. And it will become much more "official" then.
And .... Do we actually have a licence for the VEX we publish? Is it
published under the ASF 2.0 and do we have proper protection there ? I
seriously doubt either of the two statements are true:
a) I think we do not have any way to put any licence attached to VEX we
publish - until we have some ways that we can attach a licence they are
published "as is"
b) I think Apache 2.0 licence does not cover responsibility for 3rd-party
vulnerabilities that we might assume by publishing VEX
At least in CycloneDX, there is an option for that[1]. The
`$.metadata.licenses` element is described as:
The license information for the BOM document.
This may be different from the license(s) of the component(s) that
the BOM describes.
So the question is: what license should we put here?
Piotr
[1] https://cyclonedx.org/docs/1.6/json/#metadata_licenses
