[Owasp-leaders] Copyright statement recommendations

psiinon psiinon at gmail.com
Wed Jun 29 09:29:06 UTC 2016

Thanks to everyone for all of your input.

I did find this link:
which would result in:

"Copyright 2010-2016 Simon Bennetts and the ZAP contributors"

That sounds fairly reasonable to me - ZAP is a community project, and I
think that the copyright should be held by all of the contributors.
However I dont think that someone should be able to add one line of code
and then somehow have the right to re-licence the entire code base. Whether
this statement would allow that I dont know.
Although I cant see why anyone would feel the need to do that: the Apache
v2 licence is pretty flexible. If someone wants to use the ZAP code in a
commercial product then they can. They cant sell ZAP as a product due to
licences of other code we use (like the old Paros code), but thats a
separate issue.

Any views on the above option?



On Fri, Jun 24, 2016 at 7:58 PM, Jeff Williams <jeff.williams at owasp.org>

> The problem definitely isn't the definition of "ZAP Development Team."
> The current notice creates the presumption that ZAP is a joint work,
> because it implies that authors have the intent to merge their
> contributions into a unitary whole.  That sounds right for ZAP, but it's
> actually probably the opposite of what you want.
> The problem is that joint works are co-owned by all the authors. Meaning
> that any of them can use or license the entire work however they want
> without the consent of the other co-owners. Regardless of the project's
> open-source license, a joint author could license other ways or sell
> commercially.
> There's not a great solution to this problem. You could try to call ZAP a
> compilation or collective work, in which each author retains copyright to
> their contributions, but the intent to form a unitary whole is, I think,
> inarguable for ZAP and dispositive in the matter.
> I suggest that the best approach is for all contributors to assign their
> copyright for ZAP to the OWASP Foundation, who has committed via charter to
> keep all materials free and open for everyone. The Apache ICLA doesn't
> quite get to the real issue.
> --Jeff
> On Fri, Jun 24, 2016 at 10:08 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Andrew
>> Having a contributor agreement is quite different that defining who has
>> the IP rights over ZAP.
>> Right now, the IP rights are from a group defined as 'Copyright 2016 The
>> ZAP Development Team', the first most important thing to do is define
>> who is that team and who can be considered part of that team
>> Creating an agreement between the ZAP developers team and a new/old
>> contributor is between ZAP/Project dev team and that contributor.
>> The ICLA you provided is quite different because is between the Apache
>> foundation and contributors to apache projects. As stated right now , the
>> owner of the ZAP code is the 'ZAP development team'
>> The faster Simon can define clearly who can be considered the team, the
>> better.
>> On Fri, Jun 24, 2016 at 9:47 AM, Andrew van der Stock <vanderaj at owasp.org
>> > wrote:
>>> IANAL,
>>> The "Team" can be recognised if you have contributor agreements that
>>> agree to hand over their (C) claim to the team, so that people don't feel
>>> they add one line of code and feel they have the right to re-license the
>>> code.
>>> e.g.
>>> https://www.apache.org/licenses/icla.txt
>>> If you want us to follow this up with OWASP's legal beagles, please let
>>> us know, but it will cost and take a bit.
>>> Andrew
>>> On Fri, Jun 24, 2016 at 9:00 PM, psiinon <psiinon at gmail.com> wrote:
>>>> Leaders,
>>>> We've had some questions about the ZAP copyright statement we use in
>>>> our code, which is now variations on:
>>>> /*
>>>>  * Zed Attack Proxy (ZAP) and its related class files.
>>>>  *
>>>>  * ZAP is an HTTP/HTTPS proxy for assessing web application security.
>>>>  *
>>>>  * Copyright 2016 The ZAP Development Team
>>>>  *
>>>>  * Licensed under the Apache License, Version 2.0 (the "License");
>>>>  * you may not use this file except in compliance with the License.
>>>>  * You may obtain a copy of the License at
>>>>  *
>>>>  *   http://www.apache.org/licenses/LICENSE-2.0
>>>>  *
>>>>  * Unless required by applicable law or agreed to in writing, software
>>>>  * distributed under the License is distributed on an "AS IS" BASIS,
>>>> implied.
>>>>  * See the License for the specific language governing permissions and
>>>>  * limitations under the License.
>>>>  */
>>>> Is "The ZAP Development Team" a reasonable term to use, or is
>>>> problematic as this is not a legal entity?
>>>> We typically just give the year the relevant file was created, but
>>>> should we use the range of years ZAP has been around (ie "2010-2016") and
>>>> update every file every year?
>>>> Any other thoughts or recommendations?
>>>> Cheers.
>>>> Simon
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160629/980a6e18/attachment.html>

More information about the OWASP-Leaders mailing list