[Owasp-leaders] Copyright statement recommendations

psiinon psiinon at gmail.com
Thu Jul 14 15:37:49 UTC 2016


The Linux Foundation are paying the ZAP developer directly - neither myself
or OWASP see any of the money, which I think is an ideal situation:)

Cheers,

Simon

On Thu, Jul 14, 2016 at 5:19 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:

> Thats a good summary ;)
>
> Attached is a excellent paper on that that I have been researching
> regarding projects and the future of OWASP FOSS Projects.  What I found
> interesting was the country by country breakdown in this paper too.
>
> Simon, what are the terms of the relationship with your grant?  They are
> paying OWASP Foundation a check and then the funds are deposited into the
> project for use on 3rd party contractors and related or is this being paid
> directly you as an individual or other?  That may be helpful for other
> project leaders to better understand the terms of the investment.
>
>  "CII’s sponsorship adds a full-time core developer to work on
> accelerating ZAP as a Service
> <http://zaproxy.blogspot.co.uk/2015/05/zap-as-service-zaas.html>, which
> will allow ZAP to also be deployed as a long running, highly scalable,
> distributed service accessed by multiple users with different roles."
>
> http://www.linuxfoundation.org/news-media/announcements/2016/06/linux-foundation-s-core-infrastructure-initiative-invests-security
>
>
> -Brennan
>
>
>
> On Thu, Jul 14, 2016 at 11:07 AM, psiinon <psiinon at gmail.com> wrote:
>
>> I've now talked to someone at Mozilla who knows much more about these
>> things than I do.
>> They've told me that copyright statements are essentially a waste of
>> space, unless you take copyright assignments (which we dont).
>> The copyright holders are the authors no matter what the copyright
>> statement says.
>> On that basis we'll probably stick with the "Copyright 2016 The ZAP
>> Development Team" that we now mostly use.
>>
>> Cheers,
>>
>> Simon
>>
>> On Wed, Jun 29, 2016 at 11:29 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> Thanks to everyone for all of your input.
>>>
>>> I did find this link:
>>> http://ben.balter.com/2015/06/03/copyright-notices-for-websites-and-open-source-projects/
>>> which would result in:
>>>
>>> "Copyright 2010-2016 Simon Bennetts and the ZAP contributors"
>>>
>>> That sounds fairly reasonable to me - ZAP is a community project, and I
>>> think that the copyright should be held by all of the contributors.
>>> However I dont think that someone should be able to add one line of code
>>> and then somehow have the right to re-licence the entire code base. Whether
>>> this statement would allow that I dont know.
>>> Although I cant see why anyone would feel the need to do that: the
>>> Apache v2 licence is pretty flexible. If someone wants to use the ZAP code
>>> in a commercial product then they can. They cant sell ZAP as a product due
>>> to licences of other code we use (like the old Paros code), but thats a
>>> separate issue.
>>>
>>> Any views on the above option?
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>
>>>
>>> On Fri, Jun 24, 2016 at 7:58 PM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>>
>>>> The problem definitely isn't the definition of "ZAP Development Team."
>>>>
>>>> The current notice creates the presumption that ZAP is a joint work,
>>>> because it implies that authors have the intent to merge their
>>>> contributions into a unitary whole.  That sounds right for ZAP, but it's
>>>> actually probably the opposite of what you want.
>>>>
>>>> The problem is that joint works are co-owned by all the authors.
>>>> Meaning that any of them can use or license the entire work however they
>>>> want without the consent of the other co-owners. Regardless of the
>>>> project's open-source license, a joint author could license other ways or
>>>> sell commercially.
>>>>
>>>> There's not a great solution to this problem. You could try to call ZAP
>>>> a compilation or collective work, in which each author retains copyright to
>>>> their contributions, but the intent to form a unitary whole is, I think,
>>>> inarguable for ZAP and dispositive in the matter.
>>>>
>>>> I suggest that the best approach is for all contributors to assign
>>>> their copyright for ZAP to the OWASP Foundation, who has committed via
>>>> charter to keep all materials free and open for everyone. The Apache ICLA
>>>> doesn't quite get to the real issue.
>>>>
>>>> IANYL,
>>>>
>>>> --Jeff
>>>>
>>>> On Fri, Jun 24, 2016 at 10:08 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Andrew
>>>>>
>>>>> Having a contributor agreement is quite different that defining who
>>>>> has the IP rights over ZAP.
>>>>>
>>>>> Right now, the IP rights are from a group defined as 'Copyright 2016
>>>>> The ZAP Development Team', the first most important thing to do is
>>>>> define who is that team and who can be considered part of that team
>>>>>
>>>>> Creating an agreement between the ZAP developers team and a new/old
>>>>> contributor is between ZAP/Project dev team and that contributor.
>>>>>
>>>>> The ICLA you provided is quite different because is between the Apache
>>>>> foundation and contributors to apache projects. As stated right now , the
>>>>> owner of the ZAP code is the 'ZAP development team'
>>>>>
>>>>> The faster Simon can define clearly who can be considered the team,
>>>>> the better.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jun 24, 2016 at 9:47 AM, Andrew van der Stock <
>>>>> vanderaj at owasp.org> wrote:
>>>>>
>>>>>> IANAL,
>>>>>>
>>>>>> The "Team" can be recognised if you have contributor agreements that
>>>>>> agree to hand over their (C) claim to the team, so that people don't feel
>>>>>> they add one line of code and feel they have the right to re-license the
>>>>>> code.
>>>>>>
>>>>>> e.g.
>>>>>> https://www.apache.org/licenses/icla.txt
>>>>>>
>>>>>> If you want us to follow this up with OWASP's legal beagles, please
>>>>>> let us know, but it will cost and take a bit.
>>>>>>
>>>>>> Andrew
>>>>>>
>>>>>> On Fri, Jun 24, 2016 at 9:00 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>>> Leaders,
>>>>>>>
>>>>>>> We've had some questions about the ZAP copyright statement we use in
>>>>>>> our code, which is now variations on:
>>>>>>> /*
>>>>>>>  * Zed Attack Proxy (ZAP) and its related class files.
>>>>>>>  *
>>>>>>>  * ZAP is an HTTP/HTTPS proxy for assessing web application security.
>>>>>>>  *
>>>>>>>  * Copyright 2016 The ZAP Development Team
>>>>>>>  *
>>>>>>>  * Licensed under the Apache License, Version 2.0 (the "License");
>>>>>>>  * you may not use this file except in compliance with the License.
>>>>>>>  * You may obtain a copy of the License at
>>>>>>>  *
>>>>>>>  *   http://www.apache.org/licenses/LICENSE-2.0
>>>>>>>  *
>>>>>>>  * Unless required by applicable law or agreed to in writing,
>>>>>>> software
>>>>>>>  * distributed under the License is distributed on an "AS IS" BASIS,
>>>>>>>  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
>>>>>>> implied.
>>>>>>>  * See the License for the specific language governing permissions
>>>>>>> and
>>>>>>>  * limitations under the License.
>>>>>>>  */
>>>>>>>
>>>>>>> Is "The ZAP Development Team" a reasonable term to use, or is
>>>>>>> problematic as this is not a legal entity?
>>>>>>> We typically just give the year the relevant file was created, but
>>>>>>> should we use the range of years ZAP has been around (ie "2010-2016") and
>>>>>>> update every file every year?
>>>>>>> Any other thoughts or recommendations?
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>> Simon
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160714/7fc369d7/attachment.html>


More information about the OWASP-Leaders mailing list