Hi all,
On 5.02.2025 14:11, Piotr P. Karwasz wrote:
On 5.02.2025 13:47, Jarek Potiuk wrote:
But VEX is a different thing. At some point of time VEX might be
expected
as what "regulators" want. And it will become much more "official" then.
And .... Do we actually have a licence for the VEX we publish? Is it
published under the ASF 2.0 and do we have proper protection there ? I
seriously doubt either of the two statements are true:
a) I think we do not have any way to put any licence attached to VEX we
publish - until we have some ways that we can attach a licence they are
published "as is"
b) I think Apache 2.0 licence does not cover responsibility for
3rd-party
vulnerabilities that we might assume by publishing VEX
At least in CycloneDX, there is an option for that[1]. The
`$.metadata.licenses` element is described as:
The license information for the BOM document.
This may be different from the license(s) of the component(s) that
the BOM describes.
So the question is: what license should we put here?
Thank you for helping me better classify the problem. I have opened:
https://issues.apache.org/jira/browse/LEGAL-698
to ask LEGAL about the best license for CycloneDX documents.
Piotr
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
