[Owasp-leaders] What is the OWASP definition of Open Source?

McGovern, James F (HTSC, IT) James.McGovern at thehartford.com
Fri Nov 14 11:10:24 EST 2008


The perspective I would like to share is that if they are standalone
programs such as Scarab, then any of them are fine. However, if they are
things that get embedded into applications such as ESAPI then avoid
Mozilla, GPL and prefer one of the academic licenses

________________________________

From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jason Li
Sent: Wednesday, November 12, 2008 8:20 AM
To: mtesauro
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] What is the OWASP definition of Open
Source?


I think it's a good idea to limit the set of licenses. However, I think
we can leverage some existing work here by following Google Code's
choices:
Apache License 2.0
Aritistic License/GPL
Eclipse Public License 1.0
GNU General Public License v2
GNU General Public License v3
GNU Lesser General Public License
MIT License
Mozilla Public License 1.1
New BSD License

The Google Code people seem to have put some thought and post-analysis
on the licensing choices:
http://google-opensource.blogspot.com/2008/05/standing-against-license-p
roliferation.html

As part of our project survey, we can see what licenses are currently
used by our OWASP projects to see if it aligns with these choices.
--
-Jason Li-
-li.jason.c at gmail.com-



On Tue, Nov 11, 2008 at 12:49 PM, mtesauro <mtesauro at gmail.com> wrote:


	I agree with Dan's earlier point.  I think that any license
approved by
	the OSI (http://www.opensource.org/) or the FSF
	(http://www.fsf.org/licensing/) should provide more than enough
	flexibility for a project's licensing while still being "Open"
as in
	OWASP.
	
	I really like what Google Code did.  From an interview I
read/heard from
	 Google, they choose a small sub-set of the OSI/FSF licenses and
all
	projects that are on Google code need to be one of those.  Its a
nice
	way to provide good flexibility without having any more license
	proliferation mess.  For example, one of the tools I looked at
for the
	Live CD was under the "Do What the F*ck You Want To Public
License" -
	except the * was the letter 'u'.  While a project's author
should have
	total freedom in licensing, I have a preference to providing a
selection
	of licenses for a project lead to choose from to avoid this sort
of issue.
	
	As for documentation, either the FSF's FDL or one of the
Creative
	Commons licenses seem appropriate - though I know less about
those then
	the traditional open software licenses.
	
	While I hate to add to my plate, perhaps this is a good issue
for the
	Global Project committee?  That is, the selection of a range of
licenses
	 for use by OWASP tools & documentation.  Something that has
necessary
	flexibility while minimizing the choices to the smallest
possible set.
	
	--
	-- Matt Tesauro
	OWASP Live CD 2008 Project Lead
	
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
	http://mtesauro.com/livecd/ - Documentation Wiki
	

	Rogan Dawes wrote:
	> McGovern, James F (HTSC, IT) wrote:
	>> Awhile back I remember a note from Jeff indicating that it
was licensed
	>> under both GPL and BSD?
	>
	> *I*, as the primary author of WebScarab, have *never* been
approached to
	> relicense WebScarab. Additionally, while it may be an OWASP
project,
	> there are no assignments in force in favour of OWASP.
	>
	> WebScarab has been licensed under the GPL from the outset, but
no
	> mention has ever been made of the BSD license.
	>
	> Regards,
	>
	> Rogan
	>
	>> -----Original Message-----
	>> From: Rogan Dawes [mailto:lists at dawes.za.net]
	>> Sent: Tuesday, November 11, 2008 9:52 AM
	>> To: McGovern, James F (HTSC, IT)
	>> Cc: owasp-leaders at lists.owasp.org
	>> Subject: Re: [Owasp-leaders] What is the OWASP definition of
Open
	>> Source?
	>>
	>> McGovern, James F (HTSC, IT) wrote:
	>>> OK, so I know that projects such as Scarab have dual
licensing.
	>> WebScarab does NOT have dual licensing.
	>>
	>>> Likewise, I also understand that OWASP allows for projects
to run that
	>>> aren't yet open source but promised to be in the future.
Examples of
	>>> such efforts would be the work that Pravir and Brian of
Fortify are
	>>> currently working on...
	>> Perhaps. Personally, I'd prefer it if those non-open projects
were not
	>> recognised under the OWASP umbrella until they can be made
open.
	>>
	>> Regards,
	>>
	>> Rogan Dawes
	>> ************************************************************
	>> This communication, including attachments, is for the
exclusive use of addressee and may contain proprietary, confidential
and/or privileged information.  If you are not the intended recipient,
any use, copying, disclosure, dissemination or distribution is strictly
prohibited.  If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this communication and
destroy all copies.
	>> ************************************************************
	>>
	>>
	>
	> _______________________________________________
	> OWASP-Leaders mailing list
	> OWASP-Leaders at lists.owasp.org
	> https://lists.owasp.org/mailman/listinfo/owasp-leaders
	_______________________________________________
	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org
	https://lists.owasp.org/mailman/listinfo/owasp-leaders
	


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081114/ddf9d362/attachment-0001.html 


More information about the OWASP-Leaders mailing list