[Owasp-leaders] Copyright statement recommendations

Tom Brennan - OWASP tomb at owasp.org
Thu Jul 14 15:19:53 UTC 2016

Thats a good summary ;)

Attached is a excellent paper on that that I have been researching
regarding projects and the future of OWASP FOSS Projects.  What I found
interesting was the country by country breakdown in this paper too.

Simon, what are the terms of the relationship with your grant?  They are
paying OWASP Foundation a check and then the funds are deposited into the
project for use on 3rd party contractors and related or is this being paid
directly you as an individual or other?  That may be helpful for other
project leaders to better understand the terms of the investment.

 "CII’s sponsorship adds a full-time core developer to work on accelerating ZAP
as a Service
<http://zaproxy.blogspot.co.uk/2015/05/zap-as-service-zaas.html>, which
will allow ZAP to also be deployed as a long running, highly scalable,
distributed service accessed by multiple users with different roles."


On Thu, Jul 14, 2016 at 11:07 AM, psiinon <psiinon at gmail.com> wrote:

> I've now talked to someone at Mozilla who knows much more about these
> things than I do.
> They've told me that copyright statements are essentially a waste of
> space, unless you take copyright assignments (which we dont).
> The copyright holders are the authors no matter what the copyright
> statement says.
> On that basis we'll probably stick with the "Copyright 2016 The ZAP
> Development Team" that we now mostly use.
> Cheers,
> Simon
> On Wed, Jun 29, 2016 at 11:29 AM, psiinon <psiinon at gmail.com> wrote:
>> Thanks to everyone for all of your input.
>> I did find this link:
>> http://ben.balter.com/2015/06/03/copyright-notices-for-websites-and-open-source-projects/
>> which would result in:
>> "Copyright 2010-2016 Simon Bennetts and the ZAP contributors"
>> That sounds fairly reasonable to me - ZAP is a community project, and I
>> think that the copyright should be held by all of the contributors.
>> However I dont think that someone should be able to add one line of code
>> and then somehow have the right to re-licence the entire code base. Whether
>> this statement would allow that I dont know.
>> Although I cant see why anyone would feel the need to do that: the Apache
>> v2 licence is pretty flexible. If someone wants to use the ZAP code in a
>> commercial product then they can. They cant sell ZAP as a product due to
>> licences of other code we use (like the old Paros code), but thats a
>> separate issue.
>> Any views on the above option?
>> Cheers,
>> Simon
>> On Fri, Jun 24, 2016 at 7:58 PM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>>> The problem definitely isn't the definition of "ZAP Development Team."
>>> The current notice creates the presumption that ZAP is a joint work,
>>> because it implies that authors have the intent to merge their
>>> contributions into a unitary whole.  That sounds right for ZAP, but it's
>>> actually probably the opposite of what you want.
>>> The problem is that joint works are co-owned by all the authors. Meaning
>>> that any of them can use or license the entire work however they want
>>> without the consent of the other co-owners. Regardless of the project's
>>> open-source license, a joint author could license other ways or sell
>>> commercially.
>>> There's not a great solution to this problem. You could try to call ZAP
>>> a compilation or collective work, in which each author retains copyright to
>>> their contributions, but the intent to form a unitary whole is, I think,
>>> inarguable for ZAP and dispositive in the matter.
>>> I suggest that the best approach is for all contributors to assign their
>>> copyright for ZAP to the OWASP Foundation, who has committed via charter to
>>> keep all materials free and open for everyone. The Apache ICLA doesn't
>>> quite get to the real issue.
>>> IANYL,
>>> --Jeff
>>> On Fri, Jun 24, 2016 at 10:08 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Andrew
>>>> Having a contributor agreement is quite different that defining who has
>>>> the IP rights over ZAP.
>>>> Right now, the IP rights are from a group defined as 'Copyright 2016
>>>> The ZAP Development Team', the first most important thing to do is
>>>> define who is that team and who can be considered part of that team
>>>> Creating an agreement between the ZAP developers team and a new/old
>>>> contributor is between ZAP/Project dev team and that contributor.
>>>> The ICLA you provided is quite different because is between the Apache
>>>> foundation and contributors to apache projects. As stated right now , the
>>>> owner of the ZAP code is the 'ZAP development team'
>>>> The faster Simon can define clearly who can be considered the team, the
>>>> better.
>>>> On Fri, Jun 24, 2016 at 9:47 AM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>> IANAL,
>>>>> The "Team" can be recognised if you have contributor agreements that
>>>>> agree to hand over their (C) claim to the team, so that people don't feel
>>>>> they add one line of code and feel they have the right to re-license the
>>>>> code.
>>>>> e.g.
>>>>> https://www.apache.org/licenses/icla.txt
>>>>> If you want us to follow this up with OWASP's legal beagles, please
>>>>> let us know, but it will cost and take a bit.
>>>>> Andrew
>>>>> On Fri, Jun 24, 2016 at 9:00 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>> Leaders,
>>>>>> We've had some questions about the ZAP copyright statement we use in
>>>>>> our code, which is now variations on:
>>>>>> /*
>>>>>>  * Zed Attack Proxy (ZAP) and its related class files.
>>>>>>  *
>>>>>>  * ZAP is an HTTP/HTTPS proxy for assessing web application security.
>>>>>>  *
>>>>>>  * Copyright 2016 The ZAP Development Team
>>>>>>  *
>>>>>>  * Licensed under the Apache License, Version 2.0 (the "License");
>>>>>>  * you may not use this file except in compliance with the License.
>>>>>>  * You may obtain a copy of the License at
>>>>>>  *
>>>>>>  *   http://www.apache.org/licenses/LICENSE-2.0
>>>>>>  *
>>>>>>  * Unless required by applicable law or agreed to in writing,
>>>>>> software
>>>>>>  * distributed under the License is distributed on an "AS IS" BASIS,
>>>>>> implied.
>>>>>>  * See the License for the specific language governing permissions
>>>>>> and
>>>>>>  * limitations under the License.
>>>>>>  */
>>>>>> Is "The ZAP Development Team" a reasonable term to use, or is
>>>>>> problematic as this is not a legal entity?
>>>>>> We typically just give the year the relevant file was created, but
>>>>>> should we use the range of years ZAP has been around (ie "2010-2016") and
>>>>>> update every file every year?
>>>>>> Any other thoughts or recommendations?
>>>>>> Cheers.
>>>>>> Simon
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160714/d8ee8789/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FOSS-Lic-review.pdf
Type: application/pdf
Size: 410890 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160714/d8ee8789/attachment-0001.pdf>

More information about the OWASP-Leaders mailing list