[GPC] Changing the OWASP ModSecurity CRS Licensing

Matt Tesauro mtesauro at gmail.com
Thu Mar 31 14:23:54 EDT 2011


BTW, this is why some open source projects require copyright assignment.
 Its solves the many contributors problem.  I'm not saying that's good or
bad but if a project expects or wants the option to change licensing in the
future, that's one method to get there. However, some developers won't sign
copyright assignments and keeping track of whose signed and not adds a ton
of overhead for contributions.

OWASP doesn't require copyright assignment but if a project wants to assign
copyright to the Foundation, we won't say no.  Keith Turpin did this for his
project and Boeing assigned copyright to OWASP Foundation for the Secure
Coding Practices Quick Reference Guide.

Licensing can get tricky and if any project needs advice on open source
licensing, I've pointed them at the Software Freedom Law Center.
   http://www.softwarefreedom.org/
They will provide advice on licensing issues (free for Open Source projects)
but as they are in the US, the advice is generally US centric.

HTH.

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Wed, Mar 30, 2011 at 2:34 PM, Jason Li <jason.li at owasp.org> wrote:

> This is a very tricky question with legal implications and I am not a
> lawyer. There was a discussion at the Summit and some ongoing GPC work
> regarding licensing issues for OWASP Projects.
>
> I believe the high level overview is that if the leader is the only person
> that has ever contributed to a project, then they have the legal right to
> change the license for future revisions/releases of the project (previous
> releases could use the new license as well, but would still be
> simultaneously licensed under the old license in perpetuity). However, if
> there have been multiple contributors to the project, then each contributor
> would have be contacted and would have to assent to the change in licensing.
>
> Looking at the the ModSecurity CRS project details tab, there's only 3
> contributors listed (I don't know if others have committed to the source
> tree and are uncredited?). If it's only the three of you, I imagine that it
> would be pretty simple to obtain consent from your fellow contributors to
> change the license moving forward.
>
> You can imagine it would be a lot more complicated for a project like the
> OWASP Top 10 or Webgoat which have scores of contributors... We've been
> working on potential policy guidance for projects and the implications so
> that we can help projects avoid exactly these types of situations by
> thinking about licensing early on in the project's life (when it's much
> easier to manage contributors).
>
> But in your case, I believe making the change for future releases would be
> fairly straightforward.
>
> -Jason
>
> On Wed, Mar 30, 2011 at 3:11 PM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:
>
>> Ryan,
>>
>>
>>
>> As far as I know this is the first time that an OWASP project leader
>> raises this question. I guess there is no problem but I am carbon copying
>> our Global Projects Committee for us to see whether they have any other
>> input. I thank you for consulting with us.
>>
>>
>>
>> Please keep up the good work,
>>
>>
>>
>> Thanks,
>>
>> - Paulo
>>
>>
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>
>>
>>
>> *From:* Ryan Barnett [mailto:ryan.barnett at owasp.org]
>> *Sent:* quarta-feira, 30 de Março de 2011 20:03
>> *To:* paulo.coimbra at owasp.org
>> *Subject:* Changing the OWASP ModSecurity CRS Licensing
>>
>>
>>
>> Hey Paulo,
>>
>> I have a question for you with regards to the OWASP ModSecurity CRS
>> Project – we want to change the licensing from GPLv2 to Apache Software
>> License v2 (ASLv2).  Are there any official processes that I need to do or
>> can I simply make this change as the project leader?
>>
>>
>>
>> Please advise.
>>
>> Ryan
>>
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>>
>>
>
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global-projects-committee/attachments/20110331/22749684/attachment.html 


More information about the Global-projects-committee mailing list