Received: from mx1.mailbun.net (mx1.mailbun.net [170.39.20.100])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 58C25782BD0
	for <~alpine/devel@lists.alpinelinux.org>; Sun,  6 Jun 2021 18:17:41 +0000 (UTC)
Received: from penelo.lan (unknown [107.125.25.70])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: ariadne@dereferenced.org)
	by mx1.mailbun.net (Postfix) with ESMTPSA id 00CE3165FE8;
	Sun,  6 Jun 2021 18:17:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org;
	s=mailbun; t=1623003455;
	bh=GnfUf9Bf8qJfyol4qRMlRhFxDA+V9VBq68ykotQPl9M=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=SkVa4W2yIipd1AzEuNiOWjrQxbnBX0VIqhWfJpzaQzJUll8cw5BMuDzsBg7WchQuE
	 AokMa/FFBOnEYOqK6scO05vTSGuuHP69jNfvwqf9p7oiSS7Qumw2fUeq+7KDK2yRJf
	 IehQdC5LivCk2eCm28oxXGHl+IL9O32jYDuaI3rOnfiXMtH446+NcTq50sCNNC9250
	 jjTjUQ8PC3xF1b5XeCT8+lMa5xSESly//ICmD9mOiAmWOgtxJ51e5ptkzH/c3E8uui
	 1TkjY01+5aU+khon0fF9k69AvqaLG7OGj55VEx156XrDyFG7/VRLckZei27obXNX1K
	 xKWlVrp4q60yQ==
Date: Sun, 6 Jun 2021 13:17:34 -0500 (CDT)
From: Ariadne Conill <ariadne@dereferenced.org>
To: Liubov Grinkevich <luba239@yandex-team.ru>
cc: ~alpine/devel@lists.alpinelinux.org, 
    Andrey Ivanov <andriva@yandex-team.ru>
Subject: Re: License on the secdb data
In-Reply-To: <8E704717-3507-42E5-91D5-CB4702DD1E2F@yandex-team.ru>
Message-ID: <91b66b4-935a-2257-9475-5d29dae66959@dereferenced.org>
References: <8E704717-3507-42E5-91D5-CB4702DD1E2F@yandex-team.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed

Hello,

On Fri, 4 Jun 2021, Liubov Grinkevich wrote:

> Hello!
> Thank you for https://secdb.alpinelinux.org/ service, it is very useful. In our company we are planning to build a security scanner for our customers, so we're interested in using data of this service.
> However, I'm wondering about using it in a commercial product because I'm not sure in license terms for the data of this service. I would like kindly ask your confirmation if we can use the feed data in our commercial product. If there are any license or any other terms that we need to comply with please do share it with us.

Kevin has brought this up to discuss amongst the security team.  Right 
now, we don't have formal meetings, but rather choose to work issues 
through weekly sprints.  It is true that the secdb lacks licensing data, 
but our intention is for it to be released under Creative Commons 
licensing, so you should be able to use it in your product without issue.

So in the interim, feel free to use it under those terms.  We will attach 
licensing metadata in this week's sprint in any case.

> Could you please also tell, which service is preferable for taking information about fixed CVE in packages, secdb or https://security.alpinelinux.org/ ?

Please use secdb for bulk querying.  If you need the data enrichment that 
the secfixes-tracker service provides, you should set up your own if you 
plan to do bulk querying, as the infrastructure team has made it clear to 
us that they plan to ban anyone who does bulk querying to the 
secfixes-tracker service.

Ariadne