Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

License of the database #156

Closed
mcollina opened this issue Mar 12, 2018 · 10 comments
Closed

License of the database #156

mcollina opened this issue Mar 12, 2018 · 10 comments
Assignees
@vdeturckheim

Comments

@mcollina
Copy link
Member

There is a significant number of vulnerabilities listed here. However, it's not clear what is the license that data is distributed under.

cc @nodejs/security-wg @nodejs/tsc we might as well ask to the Node.js Foundation lawyers about this, as these terms should have been discussed with the original data dump for nsp.
@ChALkeR
Copy link
Member

ChALkeR commented Mar 12, 2018

@mcollina The repository has MIT License, and it looks to me that the db is currently being distributed under that liicense here.

An explicit confirmation would be great, though.

@vdeturckheim
Copy link
Member

My understanding was that everything in the repo (including the vulnerabilities) was under MIT as @ChALkeR mentionned.

We can add a clarification to the vulnerabilities README if needed.

@mcollina
Copy link
Member Author

The MIT license was added as part of the repository boilerplate (#9). The vulnerabilities were added in #26, and there was no discussion about the distribution license.

A clarification in the README would be good, thanks.

@dgonzalez
Copy link
Member

Also we need to make sure that the appropriated license is MIT (at least for the vulnerabilities). We are allowing third parties to resell the information on the DB whereas with AGPL we guarantee that tools that use the data will be open or just internal for companies.

@ChALkeR
Copy link
Member

ChALkeR commented May 10, 2018

Any updates on this?

@joepie91
Copy link

We are allowing third parties to resell the information on the DB whereas with AGPL we guarantee that tools that use the data will be open or just internal for companies.

I'm not sure whether it works that way for data, given that the AGPL (and the MIT, for that matter) are specifically source code licenses, not data licenses.

@mhdawson mhdawson mentioned this issue May 17, 2018
Closed
@mhdawson
Copy link
Member

Cross posted here: nodejs/community-committee#271 to see if we can re-use what the community committee learned about the question they had and if not get some help to resolve.

@mhdawson mhdawson mentioned this issue Jun 11, 2018
Closed
@mhdawson
Copy link
Member

Discussed in security WG meeting. Based on feedback from Foundation and discussion we believe that MIT is the right way to go.

@mhdawson
Copy link
Member

Vladimir will update Readme.md to make it clear that it is under the same licence after

  • pinging Adam on initial donation of data
  • updating readme to clarify data will be published under MIT
  • ensure that HackerOne template is clear that having submitted report includes agreement to have published under MITR.

@vdeturckheim
Copy link
Member

I checked with @evilpacket this week. MIT works for him.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vdeturckheim vdeturckheim

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcollina @dgonzalez @ChALkeR @joepie91 @vdeturckheim @mhdawson