lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 26 Feb 2015 08:39:15 -0500
From:	Theodore Ts'o <tytso@....edu>
To:	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>
Cc:	Pavel Machek <pavel@...x.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Stefan Roese <sr@...x.de>, monstr@...str.eu, balbi@...com,
	linux-kernel@...r.kernel.org, devicetree@...r.kernel.org,
	Wolfgang Denk <wd@...x.de>
Subject: Re: SPDX-License-Identifier

On Thu, Feb 26, 2015 at 10:26:50AM +0000, One Thousand Gnomes wrote:
> > So that GPL header at begining of each file becomes one line... and so
> > that if it is BSD/GPL dual licensed is plain to see, and I don't have
> > to read the notices saying "oh this is gpl.. but if you want to,
> > delete gpl above and use license below".
> 
> That won't happen though. You'd require every single corporate legal
> department of every large company that touched the file to agree that the
> SPDX was equivalent to the content, and some of them probably won't.
> Lawyers don't seem to believe in #include <legalese.h>

I can confirm that some lawyers, including some that work for large
companies, are concerned that an SPDX-* header is equivalent to a
copyright statement and copyright permission statement.  More
precisely, there is no legal cases on point with respect to that
particular question, and how this situation might be interpreted in
different legal systems is going to be a matter of judgement.
Morever, consider that people can easily fetch a single file out of a
git repository by referencing some URL such as:

https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/plain/contrib/e2croncheck

... so if the only place where the formal language which is in some
top-level COPYING file, it might be quite easy for a potential
infringer to claim that they didn't know about what "SPDX" and "GPL"
meant, and thus they couldn't be held responsible.

Some folks might be a bit more comfortable if at the very least there
is at least a Copyright claim, without the the full license, or at
least something like "This file may only be copied under the terms of
the license found at <URL of License", but honestly, is the effort
needed to change how we display the copyright permission statement
really worth the effort?

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ