Hi Olle, sure. What some people are doing is to list the common licence (e.g., GPLv2 or later) prominently like in the help output etc.., and then provide a pointer to a file that includes all the details, like the Debian copyright file discussed earlier. This is the description about that information, its machine readable (I was not aware of that): https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Cheers, Henning -----Original Message----- From: Olle E. Johansson <o...@edvina.net> Sent: Donnerstag, 30. März 2023 13:19 To: Henning Westerholt <h...@gilawa.com> Cc: Kamailio (SER) - Development Mailing List <sr-dev@lists.kamailio.org> Subject: Re: [sr-dev] Debian SBOM for kamailio > On 30 Mar 2023, at 12:51, Henning Westerholt <h...@gilawa.com> wrote: > > Hi Olle, > > a compiler does not magically change the licence just by processing the > source code and producing binary code. > That would be an easy solution to many licencing issues. 😉 No but when it combines a lot of source code and some of it is GPL, then the output is affected. That’s when the stickyness of the GPL license applies and the combined software - including modules - all run under the GPL license regardless of what license the source code as text had. The copyright remains exactly the same though. > > Its like e.g., a translation of a book. You can not claim that you own the > copyright of a book by simple translating it. I do understand that. I do not understand why your adding that example in this discussion though. You’re mixing copyright and the license to use the copyrighted work. /O > > Cheers, > > Henning > > > -----Original Message----- > From: Olle E. Johansson <o...@edvina.net> > Sent: Donnerstag, 30. März 2023 11:11 > To: Henning Westerholt <h...@gilawa.com> > Cc: Kamailio (SER) - Development Mailing List > <sr-dev@lists.kamailio.org> > Subject: Re: [sr-dev] Debian SBOM for kamailio > > > >> On 30 Mar 2023, at 11:00, Henning Westerholt <h...@gilawa.com> wrote: >> >> Hello Olle, >> >> IMHO the Debian way is correct. This is also the way companies are doing it, >> some examples: >> https://www.mbvans.com/en/legal-notices/foss-disclosure >> https://oss.bosch-cm.com/gm.html (click at one of the links for the >> licence terms for a huge PDF) > I would say for a -sources package this is correct, but I don’t really agree > that it’s correct for the binary package. > >> >> The only way to "fix" this would be to rewrite the respective parts of the >> code and then put it under another licence, or ask the original author(s) >> for permission to re-licence. > >> >> You cannot distribute Kamailio under BSD licence, as many of its parts are >> GPLv2 or later, as clearly indicated in the first section of the copyright >> file. > I know, but reading the output can confuse people that we have a > multi-license distribution of Kamailio, which we clearly have not. > > /O >> >> Cheers, >> >> Henning >> >> -----Original Message----- >> From: Olle E. Johansson <o...@edvina.net> >> Sent: Donnerstag, 30. März 2023 10:45 >> To: Kamailio (SER) - Development Mailing List >> <sr-dev@lists.kamailio.org> >> Subject: [sr-dev] Re: Debian SBOM for kamailio >> >> >> >>> On 29 Mar 2023, at 16:48, Victor Seva <linuxman...@torreviejawireless.org> >>> wrote: >>> >>> Signed PGP part >>> Hi! >>> >>> On 28/3/23 16:36, Olle E. Johansson wrote: >>>> Hi! >>>> Using the “syft” tool from Anchore I created an SBOM for a server with >>>> Kamailio installed from Debian. >>>> The result is quite interesting. Some notes: >>>> - For each component (debian package) a list of licenses are made. >>>> - The CPEs - filters for matching with NVD - are based on the >>>> debian package names, which is incorrect I will try with a newer system, >>>> like Debian Bullseye. >>>> My question is if we can fix this somehow by modifying meta data in our >>>> packages. >>> the information of licenses in packaging is at debian/copyright [0] >>> >>> [0] >>> https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/de >>> b >>> i >>> an/copyright >>> >> Ok, so that’s where it came from. The thing is that as you create a package >> of Kamailiio, in my view it’s distributed under GPL v2, regardless of the >> license of the source file. >> >> Should we really list all those license in the package as it seems strange >> for a software package to have multiple licenses. It’s not that users can >> select which license they use Kamailio under. >> >> I think this is more confusing and as these kind of tools become more >> used, the confusion will be even bigger. Suddenly we have someone >> distributing Kamailio under BSD license since they belived they had a >> choice… >> >> /O > _______________________________________________ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
