lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 16 Oct 2017 15:46:32 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     David Woodhouse <dwmw2@...radead.org>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Documentation: Add a file explaining the requested
 Linux kernel license enforcement policy

On Mon, Oct 16, 2017 at 02:11:01PM +0100, David Woodhouse wrote:
> On Mon, 2017-10-16 at 11:25 +0200, Greg KH wrote:
> > Documentation: Add a file explaining the requested Linux kernel
> > license enforcement policy
> > 
> > Here's a pull request to add a new file to the kernel's Documentation directory.
> > It adds a short document describing the views of how the Linux kernel community
> > feels about enforcing the license of the kernel.
> > 
> > The patch has been reviewed by a large number of kernel developers already, as
> > seen by their acks on the patch, and their agreement of the statement with
> > their names on it.  The location of the file was also agreed upon by the
> > Documentation maintainer, so all should be good there.
> > 
> > For some background information about this statement, see this article
> > written by some of the kernel developers involved in drafting it:
> > 	http://kroah.com/log/blog/2017/10/16/linux-kernel-community-enforcement-statement/
> > and this article that answers a number of questions that came up in the
> > discussion of this statement with the kernel developer community:
> > 	http://kroah.com/log/blog/2017/10/16/linux-kernel-community-enforcement-statement-faq/
> > 
> > If anyone has any further questions about it, please let me, and the TAB
> > members, know and we will be glad to help answer them.
> 
> It's a shame you don't explicitly mention the FSF's / Conservancy's
> Principles of Community-Oriented GPL Enforcement:
> https://www.fsf.org/licensing/enforcement-principles

What?  I thought I did in my blog post!  Ugh, you are right, it's not
there, my fault, it was in an earlier draft, I swear, sorry about that,
must have gotten lost when I turned it from text into a
markdown-formatted document.  I'll go add it and push out the updated
post in a bit.

> I think this approach is a good thing in general,

Great!

> and I know
> Conservancy have been talking about it for a while, including
> conversations with the TAB on early drafts of this — but I'm a little
> concerned that what we've ended up with is a bit one-sided. We're
> giving something away, for nothing in return.

I don't feel that is true at all, what we are doing here is providing a
well-documented way toward compliance and the reinstatement of our
license.  That's a key issue with regards to the existing trolls we are
currently facing today, which we have to address in order to preserve
our community.

> In the long period of negotiation with violators, what typically
> happens is they keep providing "candidate" source releases which are
> ever closer to being compliant, but rarely *actually* compliant.
> 
> With a binding promise to forgive them for past violations as soon as
> they're fixed, we basically lose one of the few levers we had to
> encourage them to come *completely* into compliance. Now I fear some of
> them will only ever come close enough that they know we won't actually
> take the last resort of legal action, purely for what *remains* to be
> fixed.
> 
> This would have been better if it specified that it applied to
> *unintentional* violations, and also gave a time limit — automatic
> reinstatement *only* happens if complete compliance is achieved within
> 90 days, for example. That would help genuine developers who are only
> *accidentally* committing a criminal offence through not paying enough
> attention, while not giving succour to those who intentionally do so.

Defining "unintentional" and "accidentally", might be a bit difficult,
given that GPLv3 didn't even attempt to do something like that.  And I'm
pretty sure I remember it coming up during the drafting of that, don't
you?

We aren't in the business of showing "intent" here, we want to be able
to offer a way for someone who is not in compliance, to be able to join
our community successfully after they come back into compliance.  That's
it, we aren't trying to complicate anything, but rather, make things
more simpler and easier to understand for everyone in order to stop the
issue we are currently facing.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ