[Owasp-leaders] Copyright statement recommendations
psiinon at gmail.com
Wed Jun 29 09:29:06 UTC 2016
Thanks to everyone for all of your input.
I did find this link:
which would result in:
"Copyright 2010-2016 Simon Bennetts and the ZAP contributors"
That sounds fairly reasonable to me - ZAP is a community project, and I
think that the copyright should be held by all of the contributors.
However I dont think that someone should be able to add one line of code
and then somehow have the right to re-licence the entire code base. Whether
this statement would allow that I dont know.
Although I cant see why anyone would feel the need to do that: the Apache
v2 licence is pretty flexible. If someone wants to use the ZAP code in a
commercial product then they can. They cant sell ZAP as a product due to
licences of other code we use (like the old Paros code), but thats a
Any views on the above option?
On Fri, Jun 24, 2016 at 7:58 PM, Jeff Williams <jeff.williams at owasp.org>
> The problem definitely isn't the definition of "ZAP Development Team."
> The current notice creates the presumption that ZAP is a joint work,
> because it implies that authors have the intent to merge their
> contributions into a unitary whole. That sounds right for ZAP, but it's
> actually probably the opposite of what you want.
> The problem is that joint works are co-owned by all the authors. Meaning
> that any of them can use or license the entire work however they want
> without the consent of the other co-owners. Regardless of the project's
> open-source license, a joint author could license other ways or sell
> There's not a great solution to this problem. You could try to call ZAP a
> compilation or collective work, in which each author retains copyright to
> their contributions, but the intent to form a unitary whole is, I think,
> inarguable for ZAP and dispositive in the matter.
> I suggest that the best approach is for all contributors to assign their
> copyright for ZAP to the OWASP Foundation, who has committed via charter to
> keep all materials free and open for everyone. The Apache ICLA doesn't
> quite get to the real issue.
> On Fri, Jun 24, 2016 at 10:08 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Having a contributor agreement is quite different that defining who has
>> the IP rights over ZAP.
>> Right now, the IP rights are from a group defined as 'Copyright 2016 The
>> ZAP Development Team', the first most important thing to do is define
>> who is that team and who can be considered part of that team
>> Creating an agreement between the ZAP developers team and a new/old
>> contributor is between ZAP/Project dev team and that contributor.
>> The ICLA you provided is quite different because is between the Apache
>> foundation and contributors to apache projects. As stated right now , the
>> owner of the ZAP code is the 'ZAP development team'
>> The faster Simon can define clearly who can be considered the team, the
>> On Fri, Jun 24, 2016 at 9:47 AM, Andrew van der Stock <vanderaj at owasp.org
>> > wrote:
>>> The "Team" can be recognised if you have contributor agreements that
>>> agree to hand over their (C) claim to the team, so that people don't feel
>>> they add one line of code and feel they have the right to re-license the
>>> If you want us to follow this up with OWASP's legal beagles, please let
>>> us know, but it will cost and take a bit.
>>> On Fri, Jun 24, 2016 at 9:00 PM, psiinon <psiinon at gmail.com> wrote:
>>>> We've had some questions about the ZAP copyright statement we use in
>>>> our code, which is now variations on:
>>>> * Zed Attack Proxy (ZAP) and its related class files.
>>>> * ZAP is an HTTP/HTTPS proxy for assessing web application security.
>>>> * Copyright 2016 The ZAP Development Team
>>>> * Licensed under the Apache License, Version 2.0 (the "License");
>>>> * you may not use this file except in compliance with the License.
>>>> * You may obtain a copy of the License at
>>>> * http://www.apache.org/licenses/LICENSE-2.0
>>>> * Unless required by applicable law or agreed to in writing, software
>>>> * distributed under the License is distributed on an "AS IS" BASIS,
>>>> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
>>>> * See the License for the specific language governing permissions and
>>>> * limitations under the License.
>>>> Is "The ZAP Development Team" a reasonable term to use, or is
>>>> problematic as this is not a legal entity?
>>>> We typically just give the year the relevant file was created, but
>>>> should we use the range of years ZAP has been around (ie "2010-2016") and
>>>> update every file every year?
>>>> Any other thoughts or recommendations?
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> Johanna Curiel
>> OWASP Volunteer
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders