Hi Olle, a compiler does not magically change the licence just by processing the source code and producing binary code. That would be an easy solution to many licencing issues. đ
Its like e.g., a translation of a book. You can not claim that you own the copyright of a book by simple translating it. Cheers, Henning -----Original Message----- From: Olle E. Johansson <[email protected]> Sent: Donnerstag, 30. März 2023 11:11 To: Henning Westerholt <[email protected]> Cc: Kamailio (SER) - Development Mailing List <[email protected]> Subject: Re: [sr-dev] Debian SBOM for kamailio > On 30 Mar 2023, at 11:00, Henning Westerholt <[email protected]> wrote: > > Hello Olle, > > IMHO the Debian way is correct. This is also the way companies are doing it, > some examples: > https://www.mbvans.com/en/legal-notices/foss-disclosure > https://oss.bosch-cm.com/gm.html (click at one of the links for the > licence terms for a huge PDF) I would say for a -sources package this is correct, but I donât really agree that itâs correct for the binary package. > > The only way to "fix" this would be to rewrite the respective parts of the > code and then put it under another licence, or ask the original author(s) for > permission to re-licence. > > You cannot distribute Kamailio under BSD licence, as many of its parts are > GPLv2 or later, as clearly indicated in the first section of the copyright > file. I know, but reading the output can confuse people that we have a multi-license distribution of Kamailio, which we clearly have not. /O > > Cheers, > > Henning > > -----Original Message----- > From: Olle E. Johansson <[email protected]> > Sent: Donnerstag, 30. März 2023 10:45 > To: Kamailio (SER) - Development Mailing List > <[email protected]> > Subject: [sr-dev] Re: Debian SBOM for kamailio > > > >> On 29 Mar 2023, at 16:48, Victor Seva <[email protected]> >> wrote: >> >> Signed PGP part >> Hi! >> >> On 28/3/23 16:36, Olle E. Johansson wrote: >>> Hi! >>> Using the âsyftâ tool from Anchore I created an SBOM for a server with >>> Kamailio installed from Debian. >>> The result is quite interesting. Some notes: >>> - For each component (debian package) a list of licenses are made. >>> - The CPEs - filters for matching with NVD - are based on the debian >>> package names, which is incorrect I will try with a newer system, like >>> Debian Bullseye. >>> My question is if we can fix this somehow by modifying meta data in our >>> packages. >> the information of licenses in packaging is at debian/copyright [0] >> >> [0] >> https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/deb >> i >> an/copyright >> > Ok, so thatâs where it came from. The thing is that as you create a package > of Kamailiio, in my view itâs distributed under GPL v2, regardless of the > license of the source file. > > Should we really list all those license in the package as it seems strange > for a software package to have multiple licenses. Itâs not that users can > select which license they use Kamailio under. > > I think this is more confusing and as these kind of tools become more > used, the confusion will be even bigger. Suddenly we have someone > distributing Kamailio under BSD license since they belived they had a > choice⌠> > /O _______________________________________________ Kamailio (SER) - Development Mailing List To unsubscribe send an email to [email protected]
