Hi!
Using the “syft” tool from Anchore I created an SBOM for a server with Kamailio installed from Debian.
The result is quite interesting. Some notes:
- For each component (debian package) a list of licenses are made. - The CPEs - filters for matching with NVD - are based on the debian package names, which is incorrect
I will try with a newer system, like Debian Bullseye.
My question is if we can fix this somehow by modifying meta data in our packages.
Will have to check what syft is using, but this SBOM is not very useful….
Cheers, /O
Examples:
"cpe": "cpe:2.3:a:kamailio-extra-modules:kamailio-extra-modules:5.3.9\+bpo10:*:*:*:*:*:*:*",
"licenses": [ { "license": { "id": "Apache-1.0" } }, { "license": { "id": "BSD-2-Clause" } }, { "license": { "id": "BSD-3-Clause" } }, { "license": { "name": "Expat" } }, { "license": { "id": "GPL-2.0-only" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "GPL-2.0-or-later" } }, { "license": { "id": "ISC" } }, { "license": { "id": "MIT" } },
Hi!
On 28/3/23 16:36, Olle E. Johansson wrote:
the information of licenses in packaging is at debian/copyright [0]
[0] https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debian/cop...
Ok, so that’s where it came from. The thing is that as you create a package of Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the source file.
Should we really list all those license in the package as it seems strange for a software package to have multiple licenses. It’s not that users can select which license they use Kamailio under.
I think this is more confusing and as these kind of tools become more used, the confusion will be even bigger. Suddenly we have someone distributing Kamailio under BSD license since they belived they had a choice…
/O
Hello Olle,
IMHO the Debian way is correct. This is also the way companies are doing it, some examples: https://www.mbvans.com/en/legal-notices/foss-disclosure https://oss.bosch-cm.com/gm.html (click at one of the links for the licence terms for a huge PDF)
The only way to "fix" this would be to rewrite the respective parts of the code and then put it under another licence, or ask the original author(s) for permission to re-licence.
You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or later, as clearly indicated in the first section of the copyright file.
Cheers,
Henning
-----Original Message----- From: Olle E. Johansson oej@edvina.net Sent: Donnerstag, 30. März 2023 10:45 To: Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org Subject: [sr-dev] Re: Debian SBOM for kamailio
Ok, so that’s where it came from. The thing is that as you create a package of Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the source file.
Should we really list all those license in the package as it seems strange for a software package to have multiple licenses. It’s not that users can select which license they use Kamailio under.
I think this is more confusing and as these kind of tools become more used, the confusion will be even bigger. Suddenly we have someone distributing Kamailio under BSD license since they belived they had a choice…
/O
I would say for a -sources package this is correct, but I don’t really agree that it’s correct for the binary package.
The only way to "fix" this would be to rewrite the respective parts of the code and then put it under another licence, or ask the original author(s) for permission to re-licence.
You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or later, as clearly indicated in the first section of the copyright file.
I know, but reading the output can confuse people that we have a multi-license distribution of Kamailio, which we clearly have not.
/O
Hi Olle,
a compiler does not magically change the licence just by processing the source code and producing binary code. That would be an easy solution to many licencing issues. 😉
Its like e.g., a translation of a book. You can not claim that you own the copyright of a book by simple translating it.
Cheers,
Henning
-----Original Message----- From: Olle E. Johansson oej@edvina.net Sent: Donnerstag, 30. März 2023 11:11 To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org Subject: Re: [sr-dev] Debian SBOM for kamailio
I would say for a -sources package this is correct, but I don’t really agree that it’s correct for the binary package.
The only way to "fix" this would be to rewrite the respective parts of the code and then put it under another licence, or ask the original author(s) for permission to re-licence.
You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or later, as clearly indicated in the first section of the copyright file.
I know, but reading the output can confuse people that we have a multi-license distribution of Kamailio, which we clearly have not.
/O
No but when it combines a lot of source code and some of it is GPL, then the output is affected. That’s when the stickyness of the GPL license applies and the combined software - including modules - all run under the GPL license regardless of what license the source code as text had.
The copyright remains exactly the same though.
Its like e.g., a translation of a book. You can not claim that you own the copyright of a book by simple translating it.
I do understand that. I do not understand why your adding that example in this discussion though. You’re mixing copyright and the license to use the copyrighted work.
/O
Hi Olle,
sure. What some people are doing is to list the common licence (e.g., GPLv2 or later) prominently like in the help output etc.., and then provide a pointer to a file that includes all the details, like the Debian copyright file discussed earlier. This is the description about that information, its machine readable (I was not aware of that): https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Cheers,
Henning
-----Original Message----- From: Olle E. Johansson oej@edvina.net Sent: Donnerstag, 30. März 2023 13:19 To: Henning Westerholt hw@gilawa.com Cc: Kamailio (SER) - Development Mailing List sr-dev@lists.kamailio.org Subject: Re: [sr-dev] Debian SBOM for kamailio
No but when it combines a lot of source code and some of it is GPL, then the output is affected. That’s when the stickyness of the GPL license applies and the combined software - including modules - all run under the GPL license regardless of what license the source code as text had.
The copyright remains exactly the same though.
Its like e.g., a translation of a book. You can not claim that you own the copyright of a book by simple translating it.
I do understand that. I do not understand why your adding that example in this discussion though. You’re mixing copyright and the license to use the copyrighted work.
/O
Sorry, life got in the way, but I’m coming back to this discussion…
I think we should * List all licenses per file in the sources package (as is done now) * Only use GPL v2 in the compiled (binary) packages
The copyright is the same in both, but the license is in fact different.
In general, no part of a compiled Kamailio can be distributed under BSD. There may be one of the internal libraries that could be unaffected by the GPL, but anyway, when the customer links in in memory to Kamailio it’s still GPL.
/O
Hi,
On 18/4/23 11:02, Olle E. Johansson wrote:
Uh, what do you mean? How the license of compiled package is different from the ones in the source?
In general, no part of a compiled Kamailio can be distributed under BSD. There may be one of the internal libraries that could be unaffected by the GPL, but anyway, when the customer links in in memory to Kamailio it’s still GPL.
Now I'm really confused :-(
The wonders of GPL. It’s sticky. Even if you have other licenses (provided they are compatible) in the source code then the product itself is all GPL. So if I create a product and license it under GPLv2, and one of the source files is BSD, the compiled binary will be only GPLv2. No part of the compiled product is BSD any more. GPL kind of sticks to it all.
BUT if you only look at the source code, and not the binary. I can create a product, license it under BSD and take one of the source files from kamailio and include it.
* If that file is licensed under BSD, my product can be BSD when compiled and used. * If that file is licensed under GPLv2, my product will be GPLv2 when used. Regardless of the license of my source code.
So the source package can have a list of licenses, but in my view the binary package can not.
The stickyness include loading of .so modules - dynamic linking.
This is why we can’t use GPLv2 licensed code when creating commercial products. Other licenses work fine. LGPL is another story.
I’m not a lawyer, but have spent many years in these kind of discussions. Happy if wrong. :-)
/O
On 20/4/23 13:20, Olle E. Johansson wrote:
Ah, OK. Yes, indeed but there's no explicit license on the binary deb, AFAIK.
-
Henning Westerholt -
Olle E. Johansson -
Victor Seva