[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Usage of Xen Security Data in VulnerableCode



On Thu, Jan 19, 2023 at 1:10 PM Tushar Goel <tushar.goel.dav@xxxxxxxxx> wrote:
Hi Andrew,

> Maybe we want to make it CC-BY-4 to require people to reference back to
> the canonical upstream ?
Thanks for your response, can we have a more declarative statement on
the license from your end
and also can you please provide your acknowledgement over the usage of
Xen security data in vulnerablecode.

Hey Tushar,

Informally, the Xen Project Security Team is happy for you to include the data from xsa.json in your open-source vulnerability database.  As a courtesy we'd request that it be documented where the information came from.  (I think if the data includes links to then advisories on our website, that will suffice.)

Formally, we're not copyright lawyers; but we don't think there's anything copyright-able in the xsa.json: There is no editorial or creative control in the generation of that file; it's just a collection of facts which you could re-generate by scanning all the advisories.  (In fact that's exactly how the file is created; i.e., the collection of advisory texts is our "source of truth".)

We do have "Officially license all advisory text as CC-BY-4" on our to-do list; if you'd be more comfortable with an official license for xsa.json as well, we can add that to the list.

 -George

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.