SaToSa (and dependencies) licenses and copyright
by niels.vandijk@surfnet.nl
Hi all,
As part of operationalization the InAcademia service I have had to look
into the software licences and IPR of SaToSa, and its underlying
dependencies. Please find an overview below. The ones marked with a *
are included into idpy universe if I am correct, the others are
external. If you feel something is missing, or should not be in this
list, please let me know.
Based on that I have a few questions and observations:
*Licenses*
* It was not trivial for all components to find out the actual license,
especially for some of the dependencies, as licenses are not always
included. In several cases a license statement is included in the
meta-data of the pip package, but the actual license conditions are not
met. (like e.g. in the case of Apache2, a license file needs to be
delivered as part of the code). From a very puristic point of view that
would mean the software is actually not open source, and hence cannot be
used without a legal risk.
* For the software marked with * we do provide licenses and we do live
up to the conditions of the license :)
* License compatibility wise, we are doing well: all idpy related
software is apache2 licensed, and we do not seem to have dependencies
that outright conflict that license, apart from "chardet" which is LGPL
licenced. (I used this a a baseline:
https://www.apache.org/legal/resolved.html) While I do not think any of
us have the ambition to sell SaToSa as a product directly, I was
wondering if we should replace this with an alternative with a more
suitable license.
* Given the long list of dependencies, I must say I was wondering if we
do not have a little cleaning up to do.
*Copyright & IPR*
* For the idpy related software I note the copyright statements seem to
be missing or incomplete: I know for sure Roland has been working on
several components, but I suspect he has been doing so with multiple
hats on. However I e.g. do not see either GEANT project, UMEA or
NORDUnet copyright reflected, while I do see commits from GEANT project
members in the git history. I am wondering if we should rectify this,
especially in the light of the EU's sensitivity to being able to see
what their money was used for (we have had questions on that in previous
EC reviews of the GEANT project). I could also image a similar sentiment
with some of the NRENs and companies that contributed?
Comments and though are much appreciated!
Best,
Niels
python_editor Apache 2.0
alservice Apache 2.0 *
cmservice Apache 2.0 *
oic Apache 2.0 ?
pyjwkest Apache 2.0 *
pyop Apache 2.0 *
pysaml2 Apache 2.0 *
requests Apache 2.0
satosa Apache 2.0 *
vopaas Apache License 2.0 *
vopaas_statistics Apache License 2.0 *
pymongo Apache License, Version 2.0
pyopenssl Apache License, Version 2.0
babel BSD
beaker BSD
flask BSD
flask_babel BSD
flask_mako BSD
jinja2 BSD
markupsafe BSD
pycparser BSD
werkzeug BSD
alabaster BSD License
click BSD License
pycryptodomex BSD License
cryptography BSD or Apache License, Version 2.0
repoze.who BSD-derived (http://www.repoze.org/LICENSE.txt)
idna BSD-like
python_dateutil Apache License, Version 2.0
chardet LGPL
alembic MIT
asn1crypto MIT
banal MIT
cffi MIT
dataset MIT
future MIT
gunicorn MIT
mako MIT
normality MIT
paste MIT
pip MIT
pystache MIT
pytz MIT
pyyaml MIT
six MIT
urllib3 MIT
webob MIT
wheel MIT
setuptools MIT License
sqlalchemy MIT License
certifi MPL-2.0
decorator new BSD License
defusedxml PSFL
bson Apache License, Version 2.0
cryptodome BSD or Apache License, Version 2.0
gridfs Apache License, Version 2.0
itsdangerous BSD License
jwkest Apache License, Version 2.0
openssl OpenSSL License
past MIT License
pkg_resources BSD or Apache License, Version 2.0
saml2 Apache License, Version 2.0
yaml MIT License
zope.interface ZPL 2.1
--
Niels van Dijk Technical Product Manager Trust & Security
Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5
SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands
www.surfnet.nl www.openconext.org