lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171108063733.GA3098@kroah.com>
Date:   Wed, 8 Nov 2017 07:37:33 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     "Luis R. Rodriguez" <mcgrof@...nel.org>
Cc:     Christoph Hellwig <hch@...radead.org>,
        Theodore Ts'o <tytso@....edu>,
        Alan Cox <gnomes@...rguk.ukuu.org.uk>,
        "Darrick J. Wong" <darrick.wong@...cle.com>,
        Eric Sandeen <sandeen@...hat.com>,
        xfs <linux-xfs@...r.kernel.org>,
        Richard Fontana <fontana@...rpeleven.org>,
        linux-kernel@...r.kernel.org
Subject: Re: WTF? Re: [PATCH] License cleanup: add SPDX GPL-2.0 license
 identifier to files with no license

On Tue, Nov 07, 2017 at 10:42:59PM +0100, Luis R. Rodriguez wrote:
> On Tue, Nov 07, 2017 at 09:26:48PM +0100, Greg Kroah-Hartman wrote:
> > On Tue, Nov 07, 2017 at 11:28:46AM -0800, Christoph Hellwig wrote:
> > > On Tue, Nov 07, 2017 at 02:15:26PM -0500, Theodore Ts'o wrote:
> > > > On Tue, Nov 07, 2017 at 06:46:58PM +0000, Alan Cox wrote:
> > > > > > Given that it had no license text on it at all, it "defaults" to GPLv2,
> > > > > > so the GPLv2 SPDX identifier was added to it.
> > > > > > 
> > > > > > No copyright was changed, nothing at all happened except we explicitly
> > > > > > list the license of the file, instead of it being "implicit" before.
> > > > > 
> > > > > Well if Christoph owns the copyright (if there is one) and he has stated
> > > > > he believes it is too trivial to copyright then it needs an SPDX tag that
> > > > > indicates the rightsholder has stated it's too trivial to copyright and
> > > > > (by estoppel) revoked any right they might have to pursue a claim.
> > > > 
> > > > If Cristoph has revoked any right to pursue a claim, then he's also
> > > > legally given up the right to complain if, say, Bradley Kuhn starting
> > > > distributing a version with a GPLv3 permission statement --- or if Greg
> > > > K-H adds a GPLv2 SPDX identifier.  :-)
> > > 
> > > 
> > > First Christoph really appreciateѕ spelling his name right.
> > > 
> > > Second Christoph really appreciates talking to him when trying to slap
> > > on licensing bits on his code.  I'm not evil, but I'd really like to
> > > understand what you are doing and why, and I might be fairly agreeable
> > > if that makes sense.
> > 
> > I already described it in the pull request, and in this patch itself,
> 
> The upstream commit b24413180f5600 ("License cleanup: add SPDX GPL-2.0 license
> identifier to files with no license") mentions:
> 
>     Many source files in the tree are missing licensing information, which
>     makes it harder for compliance tools to determine the correct license.
> 
> We typically have not cared bout this, what has changed for us to want
> to actually go ahead and do all this work?

Many of us have cared about it for years, and nothing "changed" except
the fact that Kate and Thomas and Philippe spent about 10 months doing
the real work.  This patch was the result of that work.

> It further states:
> 
>     By default all files without license information are under the default
>     license of the kernel, which is GPL version 2.
>     
>     Update the files which contain no license information with the 'GPL-2.0'
>     SPDX license identifier.  The SPDX identifier is a legally binding
>     shorthand, which can be used instead of the full boiler plate text.
> 
> It says a bit about legally binding stuff, that's strong language, however its
> unclear to me about what it could mean for dual licensed stuff where the goal
> is for the GPL to apply say on Linux but another license outside of Linux.

That is not the case with these files, so I don't understand your issue.

> So what type of legally binding definition was being concocted here, how did such
> consensus get reached and why did we turn around and decide to embrace it all
> of a sudden whereas we had not done so before?

The implicit license of files in the kernel that did not have an
explicit license in them is GPLv2, all this patch does is explicitly
mark them with that license.  It has nothing to do with dual licenses at
all.

However, follow on patches for some subsystems are adding the correct
dual license SPDX identifiers for files that are dual licensed.  See the
patches in the USB git tree for examples of that in places, if you are
curious about how that works with SPDX.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ