I did some polling of the community and it seems like a CVE to indicate that a project is no longer supported would be appreciated and appropriate.
- https://twitter.com/jlleitschuh/status/1503422152028078082?s=21&t=K6iRHZ4asuBTyDf7JlQI4A - https://www.linkedin.com/posts/jonathan-leitschuh-94553661_log4shell-security-software-activity-6911695338818969600-iRnU?utm_source=linkedin_share&utm_medium=ios_app This could be done under "CWE-1104: Use of Unmaintained Third Party Components (4.6)" Cheers, Jonathan Leitschuh On Sun, Apr 10, 2022 at 12:35 PM Mark Thomas <[email protected]> wrote: > On 10/04/2022 17:08, Dirk-Willem van Gulik wrote: > > > > On 10 Apr 2022, at 18:02, Mark Thomas <[email protected]> wrote: > >> On 07/04/2022 16:07, Dirk-Willem van Gulik wrote: > >> > >> <snip/> > >> > >>> And finally - that we offer a non-exclusive license to the name (but > without the apache prefix), trademark and full provenance/code history; to > any party that wants to take over; provided they abide by the Apache > license. > >> > >> With my VP Brand hat on: -1 > >> > >> There are various reasons why a project enters the attic. Whether to > allow the name to be used is a decision that needs to be taken on a case by > case basis. It isn't a situation where a general rule can be applied. > > > > Just to clarify/understand - you are also concerned about this from a > brand perspective if the apache prefix (e.g. Apache FooBar) is removed as > per the original proposal. So it is the ability to call it ‘FooBar’ ? > > Yes. > > > You would also be against licensing that (so it is not a transfer) on a > non exclusive basis - perhaps with the insistence that they prefix it with > something like; like ‘CivicFoundation FooBar’ ? > > Yes. > > I am against any general rule that says "We will always do XXX with the > trademarks associated with a project that is moved to the attic.". > > This doesn't happen anywhere near often enough to expend the effort > documenting a policy that covers a reasonable majority of the use cases. > > To date, the less than a handful of instances where this has happened > have each been sufficiently different there is not sufficient data from > which to extract some typical cases that we can address with a policy. > > I am happy to continue to look at requests on a case by case basis. > > >> <snip/> > >> > >>> With the option; e.g. after 1 or 2 years; for that new community to > petition the board for the actual trademarks, domain names and what not. > >> > >> Again: -1 > >> > >> We can't do this. At least not with out an awful lot of expensive legal > hoop jumping. Trademarks are an asset. As a US charity it is legally > complex to transfer one of our assets to another entity. > > > > Right - but the expenses I am not too concerned about - they can be > covered by the receiving party - in the rare cases that we’d want such an > exclusive transfer as opposed to the non-exclusive just ‘license’ case > above. > > That depends on whether the receiving entity can afford the associated > costs. In the few instances where the project name has continued in some > form outside of the ASF, it is highly unlikely the associated entity > could have afforded the associated legal fees had a trademark transfer > been an option. > > >> We have had situations like this in the past. My aim as VP Brand is > always to try and do whatever is in the best interest of the project > community whether that community wants its home to be at the ASF or outside > it. > > > > Right - but the issue is that we’ve lost the (nexus) of the community at > the ASF - and there is some group of people outside it that wants to > continue & build a new one — perhaps with different governance. > > Yes, this has happened before and - where appropriate - we have figured > out a way for the name to continue to be used outside of the ASF. > > > As it is the latter that may likely be needed in the sort of cases where > the software has become too core to society - yet no longer of interest to > volunteer maintainers labouring under ASF governance. > > That isn't an issue. Anyone can always fork an ASF project. Whether they > can use the name will depend on the circumstances and is something that > we will continue to look at on a case by case basis. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > > -- Jonathan Leitschuh OSS Security Researcher Dan Kaminsky Fellowship @ Human Security GitHub Star <https://stars.github.com/profiles/jlleitschuh/> Twitter - JLLeitschuh <https://twitter.com/JLLeitschuh>
