lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 08 Feb 2018 09:24:13 -0800
From:   Joe Perches <joe@...ches.com>
To:     Philippe Ombredanne <pombredanne@...b.com>
Cc:     Rob Herring <robh@...nel.org>,
        Igor Stoppa <igor.stoppa@...wei.com>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Andy Whitcroft <apw@...onical.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH v6] checkpatch.pl: Add SPDX license tag check

On Thu, 2018-02-08 at 15:35 +0100, Philippe Ombredanne wrote:
> However checking that licenses ids are known and listed in the kernel
> doc is essential IMHO to avoid drift and insulate the kernel from SPDX
> updates. Case in point  the new SPDX "GPL-2.0-only" is NOT what was
> documented by tglx and therefore should not be used and banned until
> we update the doc accordingly. and until we update ALL the GPL-2.0 to
> GPL-2.0-only eventually which is best done at once.

Agree and I've attached what I believe to be a
reasonable script for that conversion only after
LICENSE directories are updated with the
appropriate and license files and after
Documentation/process/license-rules.rst is modified.

> Otherwise, this is
> going to be a total mess on top of a complicated topic that requires
> quite a bit of maintainer energy!

There will always be some energy requirement and
no doubt some legal advice involvement too.

In another vein:

The existing license files in spdx.org seem
somewhat sloppily edited and perhaps have less
clarity and precision than desired.

For instance:

If the newer SPDX descriptor "GPL-2.0-only" is to
be used, why does this license URL:

https://spdx.org/licenses/GPL-2.0-only.html

still contain the phrase ", or (at your option) any later version".

The current diff between GPL-2.0-only and GPL-2.0-or-later:

$ wget -q https://spdx.org/licenses/GPL-2.0-only.html
$ wget -q https://spdx.org/licenses/GPL-2.0-or-later.html
$ diff -U0 GPL-2.0-only.html GPL-2.0-or-later.html 
--- GPL-2.0-only.html	2017-12-28 12:17:20.000000000 -0800
+++ GPL-2.0-or-later.html	2017-12-28 12:17:22.000000000 -0800
@@ -15 +15 @@
-    <title>GNU General Public License v2.0 only | Software Package Data Exchange (SPDX)</title>
+    <title>GNU General Public License v2.0 or later | Software Package Data Exchange (SPDX)</title>
@@ -141 +141 @@
-      <h1 property="dc:title">GNU General Public License v2.0 only</h1>
+      <h1 property="dc:title">GNU General Public License v2.0 or later</h1>
@@ -144 +144 @@
-          <p style="margin-left: 20px;"><code property="spdx:name">GNU General Public License v2.0 only</code></p>
+          <p style="margin-left: 20px;"><code property="spdx:name">GNU General Public License v2.0 or later</code></p>
@@ -147 +147 @@
-          <p style="margin-left: 20px;"><code property="spdx:licenseId">GPL-2.0-only</code></p>
+          <p style="margin-left: 20px;"><code property="spdx:licenseId">GPL-2.0-or-later</code></p>
@@ -160 +160 @@
-          <p style="margin-left: 20px;">This license was released: June 1991 This refers to when this GPL 2.0 only is being used (as opposed to GPLv2 or later).</p>
+          <p style="margin-left: 20px;">This license was released: June 1991</p>
@@ -679 +679,2 @@
-        as published by the Free Software Foundation; version 2.
+	as published by the Free Software Foundation; version 2
+	or any later version.


I am not a lawyer, this is not legal advice, etc... but:

The "1991 This" use in the -only file seems be missing
a period.

In any case it is awkwardly phrased as "or later" perhaps
should not be referenced at all.

The GPL 2.0 license as published by the Free Software
Foundation includes the option for using later versions.

Perhaps the SPDX -only licenses should be more specific
when it uses the phrase "as published by the Free
Software Foundation; version <n>." to specifically
exclude the option of any later version.

Download attachment "update-licenses.sh" of type "application/x-shellscript" (1341 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ