Add BSI-TR-03185-2 reference IDs to OSPS-LE.yaml#465
Add BSI-TR-03185-2 reference IDs to OSPS-LE.yaml#465SecurityCRob wants to merge 2 commits intomainfrom
Conversation
legal things for bsi mappings Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
SecurityCRob
requested review from
eddie-knight,
evankanderson,
funnelfiasco and
puerco
| entries: | ||
| - reference-id: LE.01 | ||
| assessment-requirements: | ||
| - id: OSPS-LE-02.01 |
There was a problem hiding this comment.
OSPS-LE-03.02 seems more aligned in this case. @eddie-knight
" OSPS-LE-03.02: While active, the license for the released software assets MUST be included in the released source code, or in a LICENSE file, COPYING file, or LICENSE/ directory alongside the corresponding release assets. "
There was a problem hiding this comment.
LE.01 is part of the original BSI mappings and I would encourage us not to adjust without their input. We certainly can add LE-03 as part of our assessment for the mapping as well.
There was a problem hiding this comment.
Bit confused; same comment as the other PR: #464 (comment)
There was a problem hiding this comment.
Correct, the same comment was made for both prs. I took whatever the BSI wrote for mappings and added items I felt were missing. I do not desire to remove what they wrote as the basis. If the team feels strongly about it they could reach out to the BSI and attempt to persuade them to adjust the source material that then later can be reflected in OSPS.
There was a problem hiding this comment.
Why are we trying to replicate their mappings as our own, instead of creating our own outgoing mappings with our own claims regarding how well our entries address theirs?
My comment on both PRs is that we should treat these mappings as our own statements.
There was a problem hiding this comment.
The BSI mapping looks correct.
OSPS-LE-02 says that the licenses must (be stated and) meet the OSI/FSF definitions.
OSPS-LE-03 says that the licenses must be distributed in standard locations (matching LE.02's requirement for a copy of the license to be distributed).
As an example, a repo which has MIT header on every file but doesn't include a copy of the MIT license would technically pass OSPS-LE-02/BSI LE.01 (though it might trip up automation), but would fail OSPS-LE-03 / BSI LE.02.
| entries: | ||
| - reference-id: LE.01 | ||
| assessment-requirements: | ||
| - id: OSPS-LE-02.01 |
There was a problem hiding this comment.
The BSI mapping looks correct.
OSPS-LE-02 says that the licenses must (be stated and) meet the OSI/FSF definitions.
OSPS-LE-03 says that the licenses must be distributed in standard locations (matching LE.02's requirement for a copy of the license to be distributed).
As an example, a repo which has MIT header on every file but doesn't include a copy of the MIT license would technically pass OSPS-LE-02/BSI LE.01 (though it might trip up automation), but would fail OSPS-LE-03 / BSI LE.02.
4 participants
legal things for bsi mappings