Hello Olle, IMHO the Debian way is correct. This is also the way companies are doing it, some examples: https://www.mbvans.com/en/legal-notices/foss-disclosure https://oss.bosch-cm.com/gm.html (click at one of the links for the licence terms for a huge PDF)
The only way to "fix" this would be to rewrite the respective parts of the code and then put it under another licence, or ask the original author(s) for permission to re-licence. You cannot distribute Kamailio under BSD licence, as many of its parts are GPLv2 or later, as clearly indicated in the first section of the copyright file. Cheers, Henning -----Original Message----- From: Olle E. Johansson <[email protected]> Sent: Donnerstag, 30. März 2023 10:45 To: Kamailio (SER) - Development Mailing List <[email protected]> Subject: [sr-dev] Re: Debian SBOM for kamailio > On 29 Mar 2023, at 16:48, Victor Seva <[email protected]> > wrote: > > Signed PGP part > Hi! > > On 28/3/23 16:36, Olle E. Johansson wrote: >> Hi! >> Using the “syft” tool from Anchore I created an SBOM for a server with >> Kamailio installed from Debian. >> The result is quite interesting. Some notes: >> - For each component (debian package) a list of licenses are made. >> - The CPEs - filters for matching with NVD - are based on the debian >> package names, which is incorrect I will try with a newer system, like >> Debian Bullseye. >> My question is if we can fix this somehow by modifying meta data in our >> packages. > the information of licenses in packaging is at debian/copyright [0] > > [0] > https://github.com/kamailio/kamailio/blob/master/pkg/kamailio/deb/debi > an/copyright > Ok, so that’s where it came from. The thing is that as you create a package of Kamailiio, in my view it’s distributed under GPL v2, regardless of the license of the source file. Should we really list all those license in the package as it seems strange for a software package to have multiple licenses. It’s not that users can select which license they use Kamailio under. I think this is more confusing and as these kind of tools become more used, the confusion will be even bigger. Suddenly we have someone distributing Kamailio under BSD license since they belived they had a choice… /O _______________________________________________ Kamailio (SER) - Development Mailing List To unsubscribe send an email to [email protected]
