* Usage of Xen Security Data in VulnerableCode
@ 2023-01-10 13:33 Tushar Goel
2023-01-10 13:45 ` Andrew Cooper
0 siblings, 1 reply; 4+ messages in thread
From: Tushar Goel @ 2023-01-10 13:33 UTC (permalink / raw)
To: xen-devel
Hey,
We would like to integrate the xen security data[1][2] data
in vulnerablecode[3] which is a FOSS db of FOSS vulnerability data.
We were not able to know under which license this security data comes.
We would be grateful to have your acknowledgement over
usage of the xen security data in vulnerablecode and
have some kind of licensing declaration from your side.
[1] - https://xenbits.xen.org/xsa/xsa.json
[2] - https://github.com/nexB/vulnerablecode/pull/1044
[3] - https://github.com/nexB/vulnerablecode
Regards,
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Usage of Xen Security Data in VulnerableCode
2023-01-10 13:33 Usage of Xen Security Data in VulnerableCode Tushar Goel
@ 2023-01-10 13:45 ` Andrew Cooper
2023-01-19 13:09 ` Tushar Goel
0 siblings, 1 reply; 4+ messages in thread
From: Andrew Cooper @ 2023-01-10 13:45 UTC (permalink / raw)
To: Tushar Goel, xen-devel; +Cc: Xen Security
On 10/01/2023 1:33 pm, Tushar Goel wrote:
> Hey,
>
> We would like to integrate the xen security data[1][2] data
> in vulnerablecode[3] which is a FOSS db of FOSS vulnerability data.
> We were not able to know under which license this security data comes.
> We would be grateful to have your acknowledgement over
> usage of the xen security data in vulnerablecode and
> have some kind of licensing declaration from your side.
>
> [1] - https://xenbits.xen.org/xsa/xsa.json
> [2] - https://github.com/nexB/vulnerablecode/pull/1044
> [3] - https://github.com/nexB/vulnerablecode
Hmm, good question...
In practice, it is public domain, not least because we publish it to
Mitre and various public mailing lists, but I'm not aware of having
explicitly tried to choose a license.
Maybe we want to make it CC-BY-4 to require people to reference back to
the canonical upstream ?
~Andrew
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Usage of Xen Security Data in VulnerableCode
2023-01-10 13:45 ` Andrew Cooper
@ 2023-01-19 13:09 ` Tushar Goel
2023-01-25 11:27 ` George Dunlap
0 siblings, 1 reply; 4+ messages in thread
From: Tushar Goel @ 2023-01-19 13:09 UTC (permalink / raw)
To: Andrew Cooper; +Cc: xen-devel, Xen Security, Philippe Ombredanne, jmhoran
Hi Andrew,
> Maybe we want to make it CC-BY-4 to require people to reference back to
> the canonical upstream ?
Thanks for your response, can we have a more declarative statement on
the license from your end
and also can you please provide your acknowledgement over the usage of
Xen security data in vulnerablecode.
Regards,
On Tue, Jan 10, 2023 at 7:15 PM Andrew Cooper <Andrew.Cooper3@citrix.com> wrote:
>
> On 10/01/2023 1:33 pm, Tushar Goel wrote:
> > Hey,
> >
> > We would like to integrate the xen security data[1][2] data
> > in vulnerablecode[3] which is a FOSS db of FOSS vulnerability data.
> > We were not able to know under which license this security data comes.
> > We would be grateful to have your acknowledgement over
> > usage of the xen security data in vulnerablecode and
> > have some kind of licensing declaration from your side.
> >
> > [1] - https://xenbits.xen.org/xsa/xsa.json
> > [2] - https://github.com/nexB/vulnerablecode/pull/1044
> > [3] - https://github.com/nexB/vulnerablecode
>
> Hmm, good question...
>
> In practice, it is public domain, not least because we publish it to
> Mitre and various public mailing lists, but I'm not aware of having
> explicitly tried to choose a license.
>
> Maybe we want to make it CC-BY-4 to require people to reference back to
> the canonical upstream ?
>
> ~Andrew
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Usage of Xen Security Data in VulnerableCode
2023-01-19 13:09 ` Tushar Goel
@ 2023-01-25 11:27 ` George Dunlap
0 siblings, 0 replies; 4+ messages in thread
From: George Dunlap @ 2023-01-25 11:27 UTC (permalink / raw)
To: Tushar Goel
Cc: Andrew Cooper, xen-devel, Xen Security, Philippe Ombredanne, jmhoran
[-- Attachment #1: Type: text/plain, Size: 1326 bytes --]
On Thu, Jan 19, 2023 at 1:10 PM Tushar Goel <tushar.goel.dav@gmail.com>
wrote:
> Hi Andrew,
>
> > Maybe we want to make it CC-BY-4 to require people to reference back to
> > the canonical upstream ?
> Thanks for your response, can we have a more declarative statement on
> the license from your end
> and also can you please provide your acknowledgement over the usage of
> Xen security data in vulnerablecode.
>
Hey Tushar,
Informally, the Xen Project Security Team is happy for you to include the
data from xsa.json in your open-source vulnerability database. As a
courtesy we'd request that it be documented where the information came
from. (I think if the data includes links to then advisories on our
website, that will suffice.)
Formally, we're not copyright lawyers; but we don't think there's anything
copyright-able in the xsa.json: There is no editorial or creative control
in the generation of that file; it's just a collection of facts which you
could re-generate by scanning all the advisories. (In fact that's exactly
how the file is created; i.e., the collection of advisory texts is our
"source of truth".)
We do have "Officially license all advisory text as CC-BY-4" on our to-do
list; if you'd be more comfortable with an official license for xsa.json as
well, we can add that to the list.
-George
[-- Attachment #2: Type: text/html, Size: 1837 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-01-25 11:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-10 13:33 Usage of Xen Security Data in VulnerableCode Tushar Goel
2023-01-10 13:45 ` Andrew Cooper
2023-01-19 13:09 ` Tushar Goel
2023-01-25 11:27 ` George Dunlap
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).