Questions on open source licenses
Per our discussion in yesterday security working group meeting, here are few questions we identified to ask Linux Foundation regarding the licensing restrictions. Please let me know by COB tomorrow (Friday Nov 3rd) if there are additional questions to be included in this list. I will then send the combined list to Philip who offered to get us the answers.
1) Are there general guidelines regarding license restrictions as we explore the use of open source packages in Edgex for services such as key management, secure proxy, etc?
2) More specifically, could we use packages with MPL 2.0 or MIT license in EdgeX? If yes, what restrictions, if any, do we impose on the resulting work?
3) As a concrete example, if we adopt HashiCop Vault package (MPL 2.0) for key management in EdgeX, it states the sources for any changes to the code need to be disclosed. Are the following considered changes to the code and hence trigger the said disclosure clause?
a. Adding new extensions (plug-in) to Vault, using existing Vault extensibility APIs.
b. Keeping the Vault API and replacing the entire implementation of the API.
Riaz Zolfonoon | Distinguished Engineer | RSA | www.rsa.com | o: +1 781-515-7168 | c: +1 617-283-4822