[GPC] Changing the OWASP ModSecurity CRS Licensing

Jason Li jason.li at owasp.org
Wed Mar 30 15:34:25 EDT 2011


This is a very tricky question with legal implications and I am not a
lawyer. There was a discussion at the Summit and some ongoing GPC work
regarding licensing issues for OWASP Projects.

I believe the high level overview is that if the leader is the only person
that has ever contributed to a project, then they have the legal right to
change the license for future revisions/releases of the project (previous
releases could use the new license as well, but would still be
simultaneously licensed under the old license in perpetuity). However, if
there have been multiple contributors to the project, then each contributor
would have be contacted and would have to assent to the change in licensing.

Looking at the the ModSecurity CRS project details tab, there's only 3
contributors listed (I don't know if others have committed to the source
tree and are uncredited?). If it's only the three of you, I imagine that it
would be pretty simple to obtain consent from your fellow contributors to
change the license moving forward.

You can imagine it would be a lot more complicated for a project like the
OWASP Top 10 or Webgoat which have scores of contributors... We've been
working on potential policy guidance for projects and the implications so
that we can help projects avoid exactly these types of situations by
thinking about licensing early on in the project's life (when it's much
easier to manage contributors).

But in your case, I believe making the change for future releases would be
fairly straightforward.

-Jason

On Wed, Mar 30, 2011 at 3:11 PM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:

> Ryan,
>
>
>
> As far as I know this is the first time that an OWASP project leader raises
> this question. I guess there is no problem but I am carbon copying our
> Global Projects Committee for us to see whether they have any other input. I
> thank you for consulting with us.
>
>
>
> Please keep up the good work,
>
>
>
> Thanks,
>
> - Paulo
>
>
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>
>
>
> *From:* Ryan Barnett [mailto:ryan.barnett at owasp.org]
> *Sent:* quarta-feira, 30 de Março de 2011 20:03
> *To:* paulo.coimbra at owasp.org
> *Subject:* Changing the OWASP ModSecurity CRS Licensing
>
>
>
> Hey Paulo,
>
> I have a question for you with regards to the OWASP ModSecurity CRS Project
> – we want to change the licensing from GPLv2 to Apache Software License v2
> (ASLv2).  Are there any official processes that I need to do or can I simply
> make this change as the project leader?
>
>
>
> Please advise.
>
> Ryan
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110330/7419b526/attachment-0001.html 


More information about the Global-projects-committee mailing list