~alpine/devel

1

License on the secdb data

Liubov Grinkevich <luba239@yandex-team.ru>
Details
Message ID
<8E704717-3507-42E5-91D5-CB4702DD1E2F@yandex-team.ru>
DKIM signature
missing
Download raw message
2 years ago 
Hello!
Thank you for https://secdb.alpinelinux.org/ service, it is very useful. In our company we are planning to build a security scanner for our customers, so we're interested in using data of this service.
However, I'm wondering about using it in a commercial product because I'm not sure in license terms for the data of this service. I would like kindly ask your confirmation if we can use the feed data in our commercial product. If there are any license or any other terms that we need to comply with please do share it with us.
 
Could you please also tell, which service is preferable for taking information about fixed CVE in packages, secdb or https://security.alpinelinux.org/ ?
 
Sincerely yours,
Grinkevich Liubov, Yandex.Cloud developer.
Ariadne Conill <ariadne@dereferenced.org>
Details
Message ID
<91b66b4-935a-2257-9475-5d29dae66959@dereferenced.org>
In-Reply-To
<8E704717-3507-42E5-91D5-CB4702DD1E2F@yandex-team.ru> (view parent)
DKIM signature
missing
Download raw message
2 years ago 
Hello,

On Fri, 4 Jun 2021, Liubov Grinkevich wrote:

> Hello!
> Thank you for https://secdb.alpinelinux.org/ service, it is very useful. In our company we are planning to build a security scanner for our customers, so we're interested in using data of this service.
> However, I'm wondering about using it in a commercial product because I'm not sure in license terms for the data of this service. I would like kindly ask your confirmation if we can use the feed data in our commercial product. If there are any license or any other terms that we need to comply with please do share it with us.

Kevin has brought this up to discuss amongst the security team.  Right 
now, we don't have formal meetings, but rather choose to work issues 
through weekly sprints.  It is true that the secdb lacks licensing data, 
but our intention is for it to be released under Creative Commons 
licensing, so you should be able to use it in your product without issue.

So in the interim, feel free to use it under those terms.  We will attach 
licensing metadata in this week's sprint in any case.

> Could you please also tell, which service is preferable for taking information about fixed CVE in packages, secdb or https://security.alpinelinux.org/ ?

Please use secdb for bulk querying.  If you need the data enrichment that 
the secfixes-tracker service provides, you should set up your own if you 
plan to do bulk querying, as the infrastructure team has made it clear to 
us that they plan to ban anyone who does bulk querying to the 
secfixes-tracker service.

Ariadne
Reply to thread Export thread (mbox)