On 29 Mar 2023, at 16:48, Victor Seva linuxmaniac@torreviejawireless.org wrote:
Signed PGP part Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
Hi! Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed from Debian. The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian package names, which is incorrect
I will try with a newer system, like Debian Bullseye. My question is if we can fix this somehow by modifying meta data in our packages.
the information of licenses in packaging is at debian/copyright [0]
[0] https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debian/cop...
Ok, so that’s where it came from. The thing is that as you create a package of Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the source file.
Should we really list all those license in the package as it seems strange for a software package to have multiple licenses. It’s not that users can select which license they use Kamailio under.
I think this is more confusing and as these kind of tools become more used, the confusion will be even bigger. Suddenly we have someone distributing Kamailio under BSD license since they belived they had a choice…
/O