Hi all, As part of operationalization the InAcademia service I have had to look into the software licences and IPR of SaToSa, and its underlying dependencies. Please find an overview below. The ones marked with a * are included into idpy universe if I am correct, the others are external. If you feel something is missing, or should not be in this list, please let me know. Based on that I have a few questions and observations: *Licenses* * It was not trivial for all components to find out the actual license, especially for some of the dependencies, as licenses are not always included. In several cases a license statement is included in the meta-data of the pip package, but the actual license conditions are not met. (like e.g. in the case of Apache2, a license file needs to be delivered as part of the code). From a very puristic point of view that would mean the software is actually not open source, and hence cannot be used without a legal risk. * For the software marked with * we do provide licenses and we do live up to the conditions of the license :) * License compatibility wise, we are doing well: all idpy related software is apache2 licensed, and we do not seem to have dependencies that outright conflict that license, apart from "chardet" which is LGPL licenced. (I used this a a baseline: https://www.apache.org/legal/resolved.html) While I do not think any of us have the ambition to sell SaToSa as a product directly, I was wondering if we should replace this with an alternative with a more suitable license. * Given the long list of dependencies, I must say I was wondering if we do not have a little cleaning up to do. *Copyright & IPR* * For the idpy related software I note the copyright statements seem to be missing or incomplete: I know for sure Roland has been working on several components, but I suspect he has been doing so with multiple hats on. However I e.g. do not see either GEANT project, UMEA or NORDUnet copyright reflected, while I do see commits from GEANT project members in the git history. I am wondering if we should rectify this, especially in the light of the EU's sensitivity to being able to see what their money was used for (we have had questions on that in previous EC reviews of the GEANT project). I could also image a similar sentiment with some of the NRENs and companies that contributed? Comments and though are much appreciated! Best, Niels python_editor Apache 2.0 alservice Apache 2.0 * cmservice Apache 2.0 * oic Apache 2.0 ? pyjwkest Apache 2.0 * pyop Apache 2.0 * pysaml2 Apache 2.0 * requests Apache 2.0 satosa Apache 2.0 * vopaas Apache License 2.0 * vopaas_statistics Apache License 2.0 * pymongo Apache License, Version 2.0 pyopenssl Apache License, Version 2.0 babel BSD beaker BSD flask BSD flask_babel BSD flask_mako BSD jinja2 BSD markupsafe BSD pycparser BSD werkzeug BSD alabaster BSD License click BSD License pycryptodomex BSD License cryptography BSD or Apache License, Version 2.0 repoze.who BSD-derived (http://www.repoze.org/LICENSE.txt) idna BSD-like python_dateutil Apache License, Version 2.0 chardet LGPL alembic MIT asn1crypto MIT banal MIT cffi MIT dataset MIT future MIT gunicorn MIT mako MIT normality MIT paste MIT pip MIT pystache MIT pytz MIT pyyaml MIT six MIT urllib3 MIT webob MIT wheel MIT setuptools MIT License sqlalchemy MIT License certifi MPL-2.0 decorator new BSD License defusedxml PSFL bson Apache License, Version 2.0 cryptodome BSD or Apache License, Version 2.0 gridfs Apache License, Version 2.0 itsdangerous BSD License jwkest Apache License, Version 2.0 openssl OpenSSL License past MIT License pkg_resources BSD or Apache License, Version 2.0 saml2 Apache License, Version 2.0 yaml MIT License zope.interface ZPL 2.1 -- Niels van Dijk Technical Product Manager Trust & Security Mob: +31 651347657 | Skype: cdr-80 | PGP Key ID: 0xDE7BB2F5 SURFnet BV | PO.Box 19035 | NL-3501 DA Utrecht | The Netherlands www.surfnet.nl www.openconext.org