On 30 Mar 2023, at 11:00, Henning Westerholt hw@gilawa.com wrote:
Hello Olle,
IMHO the Debian way is correct. This is also the way companies are doing it, some examples: https://www.mbvans.com/en/legal-notices/foss-disclosure https://oss.bosch-cm.com/gm.html (click at one of the links for the licence terms for a huge PDF)
I would say for a -sources package this is correct, but I don’t really agree that it’s correct for the binary package.
The only way to "fix" this would be to rewrite the respective parts of the code and then put it under another licence, or ask the original author(s) for permission to re-licence.
You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or later, as clearly indicated in the first section of the copyright file.
I know, but reading the output can confuse people that we have a multi-license distribution of Kamailio, which we clearly have not.
/O
Cheers,
Henning
-----Original Message----- From: Olle E. Johansson oej@edvina.net Sent: Donnerstag, 30. März 2023 10:45 To: Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org Subject: [sr-dev] Re: Debian SBOM for kamailio
On 29 Mar 2023, at 16:48, Victor Seva linuxmaniac@torreviejawireless.org wrote:
Signed PGP part Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
Hi! Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed from Debian. The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made.
- The CPEs - filters for matching with NVD - are based on the debian
package names, which is incorrect I will try with a newer system, like Debian Bullseye. My question is if we can fix this somehow by modifying meta data in our packages.
the information of licenses in packaging is at debian/copyright [0]
[0] https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debi an/copyright
Ok, so that’s where it came from. The thing is that as you create a package of Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the source file.
Should we really list all those license in the package as it seems strange for a software package to have multiple licenses. It’s not that users can select which license they use Kamailio under.
I think this is more confusing and as these kind of tools become more used, the confusion will be even bigger. Suddenly we have someone distributing Kamailio under BSD license since they belived they had a choice…
/O