-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello there,
I'm currently working on a security hardening spec[1] and blueprint[2] for openstack-ansible. The goal is to bring additional security to OpenStack hosts via openstack-ansible and also to help organizations down the path to various compliance programs (like PCI).
One of the firm PCI requirements[2] is PCI DSS Requirement 2.2 (page 30 in the PDF) which states that organizations must adhere to "industry-accepted" hardening standards. A few examples include Center for Internet Security (CIS), ISO, SANS, and NIST. Most of these are geared towards deployments of Red Hat Enterprise Linux and Windows, not Ubuntu.
CIS seems to have the most comprehensive security hardening standards available for Ubuntu, and I'm able to port many of their recommendations for RHEL-based systems over to Ubuntu systems. However, their terms of use appears to be fairly strict.
Rackspace (my employer) is a CIS member, but the OpenStack Foundation is not (as far as I know). I've reached out to CIS' member services group via our Rackspace account to find out if there's a possibility to license these hardening standards for open source use with OpenStack projects, but I'm not sure who they should get in contact with on the OpenStack side to discuss it.
Would anyone be able to advise me on how to proceed? Thanks a bunch!
[1] https://review.openstack.org/#/c/222619/
[2] https://blueprints.launchpad.net/openstack-ansible/+spec/security-hardening
[3] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
[4] https://benchmarks.cisecurity.org/downloads/form/index.cfm
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV+sIhAAoJEHNwUeDBAR+xlqEQAJWZV23yNWV7+XN1Pm7Utb6R
D+pwPfN9up7RMhK5OFzvRGSEaGiQPRop+ENKNeBfiRfLCkI6mx2w5Z58E5NQCJEs
v4ddxY5LokzOpizDmFl2Dkq3mrPCyC6bAE1tml5KF80vM5Vkt2IHnt7w5Q9QQ4hF
UOcKI/4DFB2USO5lQr8jUMILzBUHLB+QO9L4NVxvYiz6LS1xgDRQ7AbmdloldLZb
UqbqZ4rswfpSwCMn+h2jpBDwVzIykg22jdYQY61as8I1i7HrZoXBF2TaSyGc4lca
FAzMxYBF7swWQ+W+/uk8+SUYOgqVSqslHtDyxKbz03JPlMhkSgAVAF80Q0AGE3Yt
eq85QdLHkJnpdZNEfQ/TQHki+2seL+UNM/iSHlx//M+Qa5AZdgk+noEOhGT/dH3I
+Bmz/PGBLJM67oow82No28tEo05xVtIGgDt5bUVf0oWCYy0OHjaLJ8w0DBrKXXlX
otKsn5Q0Z08WUreX7fL74snb2yhg0BsGuR/NsHkJ2YQbG67v4Cr1QhCL8UAyI+OU
MIRG1eswdERZKpBzBO6d+h4GsfEo7fDB6Q0uHe9kiwzVq5gHCI3t/miYwz4vabYR
uZ4YVnfNfAmbjhh5I/uSAf2ie4T9h2b+yoqG6Yn51p43aLuZEHcPmc1VVv7M50Dz
KDQ5nkxc/3XQcnmrZV7j
=u4SR
-----END PGP SIGNATURE-----
Hello there,
I just reviewed the Legal Issues FAQ[1], but I have some more specific questions around adding MIT licensed code to an OpenStack project that has traditionally been Apache licensed. I've already ensured that the file in question has the appropriate header and copyright details, but I'm unsure about how to handle the root LICENSE file within the repository.
The FAQ mentions:
> Probably the easiest thing to do when incorporating BSD or MIT licensed code is to copy the copyright/license header from the source file into the destination file, as well as copying the copyright notice, license and disclaimer into the toplevel LICENSE file with a brief explanation of which code is under that license.
Should I put a divider in the LICENSE file and paste in the MIT license details after that? This may be a silly question (please let me know if it is), but I wanted to make sure I was following the legal instructions very carefully.
Thank you!
[1] https://wiki.openstack.org/wiki/LegalIssuesFAQ
--
Major Hayden