> On 30 Mar 2023, at 11:00, Henning Westerholt <[email protected]> wrote: > > Hello Olle, > > IMHO the Debian way is correct. This is also the way companies are doing it, > some examples: > https://www.mbvans.com/en/legal-notices/foss-disclosure > https://oss.bosch-cm.com/gm.html (click at one of the links for the licence > terms for a huge PDF) I would say for a -sources package this is correct, but I don’t really agree that it’s correct for the binary package.
> > The only way to "fix" this would be to rewrite the respective parts of the > code and then put it under another licence, or ask the original author(s) for > permission to re-licence. > > You cannot distribute Kamailio under BSD licence, as many of its parts are > GPLv2 or later, as clearly indicated in the first section of the copyright > file. I know, but reading the output can confuse people that we have a multi-license distribution of Kamailio, which we clearly have not. /O > > Cheers, > > Henning > > -----Original Message----- > From: Olle E. Johansson <[email protected]> > Sent: Donnerstag, 30. März 2023 10:45 > To: Kamailio (SER) - Development Mailing List <[email protected]> > Subject: [sr-dev] Re: Debian SBOM for kamailio > > > >> On 29 Mar 2023, at 16:48, Victor Seva <[email protected]> >> wrote: >> >> Signed PGP part >> Hi! >> >> On 28/3/23 16:36, Olle E. Johansson wrote: >>> Hi! >>> Using the “syft” tool from Anchore I created an SBOM for a server with >>> Kamailio installed from Debian. >>> The result is quite interesting. Some notes: >>> - For each component (debian package) a list of licenses are made. >>> - The CPEs - filters for matching with NVD - are based on the debian >>> package names, which is incorrect I will try with a newer system, like >>> Debian Bullseye. >>> My question is if we can fix this somehow by modifying meta data in our >>> packages. >> the information of licenses in packaging is at debian/copyright [0] >> >> [0] >> https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debi >> an/copyright >> > Ok, so that’s where it came from. The thing is that as you create a package > of Kamailiio, in my view it’s distributed under GPL v2, regardless of the > license of the source file. > > Should we really list all those license in the package as it seems strange > for a software package to have multiple licenses. It’s not that users can > select which license they use Kamailio under. > > I think this is more confusing and as these kind of tools become more used, > the confusion will be even bigger. Suddenly we have someone distributing > Kamailio under BSD license since they belived they had a choice… > > /O _______________________________________________ Kamailio (SER) - Development Mailing List To unsubscribe send an email to [email protected]
