lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140221190125.GL31047@thunk.org>
Date:	Fri, 21 Feb 2014 14:01:25 -0500
From:	Theodore Ts'o <tytso@....edu>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	Michal Simek <monstr@...str.eu>, Felipe Balbi <balbi@...com>,
	Subbaraya Sundeep Bhatta <subbaraya.sundeep.bhatta@...inx.com>,
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
	Subbaraya Sundeep Bhatta <sbhatta@...inx.com>,
	devicetree@...r.kernel.org, Wolfgang Denk <wd@...x.de>
Subject: Re: SPDX-License-Identifier

On Fri, Feb 21, 2014 at 09:57:20AM -0800, Greg Kroah-Hartman wrote:
> > But shouldn't we at least write somewhere
> > that it has connection to spdx.org where you can find out that licenses.
> 
> Why?  Are these licenses so unknown that no one knows what they are?
> And, as part of the kernel-as-a-whole-work, they all resolve to GPLv2
> anyway, and we have that license in the source tree, so nothing else
> should be needed.

Note that not all lawyers are in agreement about this, so if this is a
driver being developed by a company, you may want to ask your
corporate counsel if they have an opinion about this.  I've received
advice of the form that it's not obvious that regardless of whether or
not us *engineers* understand what all of the licensing terms mean,
what's important is whether someone who is accused of "borrowing"
GPL'ed code and dropping it in a driver for some other OS can convince
a judge whether or not it's considered "obvious" from a legal
perspective what an SPDX header means, and what is implied by an SPDX
license identifer.

Also note that with the advent of web sites that allow people to do
web searches and turn up a singleton file via some gitweb interface,
the fact that the full license text is distributed alongside the
tarball might or might have as much legal significance as it once had.

But of course, I'm not a lawyer, and if your company has is paying for
the development of the driver, the Golden Rule applies (he who has the
Gold, makes the Rules), and each of our respective corporate lawyers
may have different opinions about what might happen if the question
was ever to be adjudicated in court.

Cheers,

					- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ