lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 12 Nov 2017 14:04:15 +0100
From:   Carmen Bianca Bakker <carmenbianca@...e.org>
To:     Charlemagne Lasse <charlemagnelasse@...il.com>,
        Jonas Oberg <jonas@...e.org>
Cc:     linux-kernel@...r.kernel.org,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>
Subject: Re: Adding LICENSES folder for REUSE

Hello Charlemagne,

Charlemagne Lasse schreef op za 11-11-2017 om 23:29 [+0100]:
> 1. SPDX license identifier first
> 2. Full BSD/MIT/ISC license in source files is sufficient and don't
>    require License-Filename
> 3. verbatim licenses which are not in source files (GPL, LGPL, MPL, ...)
>    should be in LICENSES/
> 4. License-Filename tag can be added later and multiple are allowed per
>    file

Yes, that is all quite correct :)  The REUSE recommendations are
threefold, roughly:

1. Include verbatim licence text in repository.

2. Add licence information about each file.

3. (Optional-ish) Create an SPDX bill of materials that can be
   auto-generated.

We also have some recommendations about _how_ you might go about doing
this, e.g., putting the licences in a LICENSES folder or putting certain
headers in code files, but the exact implementation is eventually up to
the project itself.

`SPDX-License-Identifier` and `License-Filename` do roughly the same
thing, apart from the difference which Jonas mentioned.  I know that
some kernel code files already use the SPDX-License-Identifier tag, and
it seems to me that just satisfying that tag would be sufficient to
start with.

> If this understanding is correct then I would still propose that the
> LICENSES folder is prepared with the previously identified long licenses
> (which are currently not stored completely in the source files):

If the kernel project did only this and stopped there, that would take
you half the way there already.  Just having (and distributing) the
licence texts verbatim is reasonably important as far as legal
responsibilities go.

Yours sincerely,

-- 
Carmen Bianca Bakker
Technical Intern
Free Software Foundation Europe e.V.
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists