The license of the documentation is impractical for any use in any open source software, and other license issues

[pombredanne]

Describe the bug
The license of the documentation is impractical for any use in any open source software. Could you work out something that makes it possible to reuse and include in an open source software package?

With open source, I cannot control commercial use or not.

It would be nice to consider a proper open source license for the docs and text such as a CC-BY or CC-BY-SA

Some other related license issues:

• are the data and schema in https://github.com/CERTCC/SSVC/blob/main/data/ MIT-license (e.g. software?) or under the proprietary license of the docs, texts and PDFs? If not MIT, SSVC is mostly unusable as it is.

• the license notice at

  SSVC/src/ssvc/_mixins.py

  Line 10 in a342cb6

  # Stakeholder Specific Vulnerability Categorization (SSVC) is

  mentions a LICENSE.md file that does not exists.

You have an excellent framework, but the licensing makes it's usage impossible for open source.

[pombredanne]

Also is the code in https://certcc.github.io/SSVC/ssvc-calc/ MIT or is this code under the proprietary license?

[pombredanne]

@ahouseholder gentle ping.

[ahouseholder]

Hi, I'm working this through our legal folks, so I don't have a definitive answer at the moment. However, I can say that our intent was that:

• Code is covered by the MIT license. This includes the calculator, the python code, any javascript or json files, and any ancillary scripts.

  SSVC/LICENSE

  Lines 1 to 25 in 19f72a5

  	The following license applies to software contained in this repository.
  	----
  	MIT License
  	Copyright (c) 2020 Carnegie Mellon University
  	Permission is hereby granted, free of charge, to any person obtaining a copy
  	of this software and associated documentation files (the "Software"), to deal
  	in the Software without restriction, including without limitation the rights
  	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  	copies of the Software, and to permit persons to whom the Software is
  	furnished to do so, subject to the following conditions:
  	The above copyright notice and this permission notice shall be included in all
  	copies or substantial portions of the Software.
  	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  	SOFTWARE.

• Documentation is covered by the Copyright statement in

  SSVC/LICENSE

  Lines 27 to 67 in 19f72a5

  	The following statement applies to PDF, markdown, and text documents contained in this repository.
  	This material is based upon work funded and supported by the Department of Defense
  	under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation
  	of the Software Engineering Institute, a federally funded research and development center.
  	The view, opinions, and/or findings contained in this material are those of the author(s)
  	and should not be construed as an official Government position, policy, or decision, unless
  	designated by other documentation.
  	References herein to any specific commercial product, process, or service by trade name,
  	trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its
  	endorsement, recommendation, or favoring by Carnegie Mellon University or its
  	Software Engineering Institute.
  	NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL
  	IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
  	EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF
  	FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE
  	MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT
  	TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
  	[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
  	Please see Copyright notice for non-US Government use and distribution.
  	Internal use:
  	* Permission to reproduce this material and to prepare derivative works from this material for internal
  	use is granted, provided the copyright and “No Warranty” statements are included with all reproductions
  	and derivative works.
  	External use:
  	* This material may be reproduced in its entirety, without modification, and freely distributed in
  	written or electronic form without requesting formal permission. Permission is required for any
  	other external and/or commercial use. Requests for permission should be directed to the
  	Software Engineering Institute at [email protected].
  	* These restrictions do not apply to U.S. government entities.
  	Carnegie Mellon®, CERT Coordination Center® and OCTAVE® are registered in the U.S. Patent and
  	Trademark Office by Carnegie Mellon University.
  	DM18-1203, DM19-1222

Just to confirm that I'm understanding the concern correctly, I think you're reacting to the documentation portion

SSVC/LICENSE

Lines 57 to 61 in 19f72a5

	External use:
	* This material may be reproduced in its entirety, without modification, and freely distributed in
	written or electronic form without requesting formal permission. Permission is required for any
	other external and/or commercial use. Requests for permission should be directed to the
	Software Engineering Institute at [email protected].

and highlighting that it only allows the documentation to be included downstream without modification (or requires permission to modify). Is that accurate?

(any references to LICENSE.md are intended to mean https://github.com/CERTCC/SSVC/blob/main/LICENSE, that's just a typo in the boilerplate)

[pombredanne]

@ahouseholder Thank you for chiming in! I guess the "F" in "License" is for "Fun" ;)

You wrote:

Just to confirm that I'm understanding the concern correctly, I think you're reacting to the documentation portion
and highlighting that it only allows the documentation to be included downstream without modification (or requires permission to modify). Is that accurate?

Yes this is accurate. This license statement is incompatible with an open source licensing. This would not be a problem if there were not data definitions (and possibly JS calculator code) in the documentation and that that would be necessarily copied when doing an implementation, and likely modified along the way.

And also this:

Permission is required for any other external and/or commercial use

External and commercial is pretty much the whole wild world.

I am assuming your concern is to keep the integrity of the SSVC specification and avoid derived work that would be still pretend to be SSVC? I am sure there are proper open source licenses that would support this. For code, the Apache has these effects for instance AFAIK.

You may want to direct your legal team to check this license https://github.com/CommunitySpecification/Community_Specification by @mkdolan from the Linux Foundation. This is a sensible and comprehensive license designed for specifications. It is used for specs in the space such as SPDX.

[ahouseholder]

I am assuming your concern is to keep the integrity of the SSVC specification and avoid derived work that would be still pretend to be SSVC? I am sure there are proper open source licenses that would support this. For code, the Apache has these effects for instance AFAIK.

It's actually a bit of a historical artifact due to the content of this repository having arrived via two distinct paths:

1. The original SSVC docs we released as PDFs https://insights.sei.cmu.edu/library/prioritizing-vulnerability-response-a-stakeholder-specific-vulnerability-categorization-version-20/ carried the SEI's standard copyright blurb which is the origin of the "Permission is required for any other external and/or commercial use" line. I think the idea there is that "You can redistribute the PDF in its entirety but don't chop it up."
2. The code came from the MIT license side of things, which we intended to be reusable subject to the MIT license requiring the copyright acknowledgement.

There's obviously a different set of assumptions behind those two paths, which is how we got here.

Thanks for your comments though. Our legal folks are aware of this thread and hopefully we'll come to some sort of resolution soon.

[pombredanne]

@ahouseholder re:#550 (comment)

Thanks for your comments though. Our legal folks are aware of this thread and hopefully we'll come to some sort of resolution soon.

Thank you. You and SSVC are awesome.

[pombredanne]

@ahouseholder Hey 👋, did you get any update from your legal folks?

[laurie-tyz]

I’ll ask Amy if she needs anything. Laurie From: Philippe Ombredanne ***@***.***> Sent: Thursday, September 5, 2024 2:06 PM To: CERTCC/SSVC ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [CERTCC/SSVC] The license of the documentation is impractical for any use in any open source software, and other license issues (Issue #550) Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe. @ahouseholder<https://github.com/ahouseholder> Hey 👋, did you get any update from your legal folks? — Reply to this email directly, view it on GitHub<#550 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AH4BWHXLX67PLZ3PMUA6DBTZVCMSFAVCNFSM6AAAAABFZILUUCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZSGM2DMMRWHA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>