Cool. Let's see where it gets us :) On Wed, Feb 5, 2025 at 2:58 PM Piotr P. Karwasz <[email protected]> wrote:
> Hi all, > > On 5.02.2025 14:11, Piotr P. Karwasz wrote: > > On 5.02.2025 13:47, Jarek Potiuk wrote: > >> But VEX is a different thing. At some point of time VEX might be > >> expected > >> as what "regulators" want. And it will become much more "official" then. > >> And .... Do we actually have a licence for the VEX we publish? Is it > >> published under the ASF 2.0 and do we have proper protection there ? I > >> seriously doubt either of the two statements are true: > >> > >> a) I think we do not have any way to put any licence attached to VEX we > >> publish - until we have some ways that we can attach a licence they are > >> published "as is" > >> b) I think Apache 2.0 licence does not cover responsibility for > >> 3rd-party > >> vulnerabilities that we might assume by publishing VEX > > > > At least in CycloneDX, there is an option for that[1]. The > > `$.metadata.licenses` element is described as: > > > > The license information for the BOM document. > > This may be different from the license(s) of the component(s) that > > the BOM describes. > > > > So the question is: what license should we put here? > > Thank you for helping me better classify the problem. I have opened: > > https://issues.apache.org/jira/browse/LEGAL-698 > > to ask LEGAL about the best license for CycloneDX documents. > > Piotr > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
