| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Dec 2017 17:32:34 +0000
From: "Bird, Timothy" <Tim.Bird@...y.com>
To: Philippe Ombredanne <pombredanne@...b.com>,
Mauro Carvalho Chehab <mchehab@...pensource.com>
CC: "Takiguchi, Yasunari" <Yasunari.Takiguchi@...y.com>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
"linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
"tbird20d@...il.com" <tbird20d@...il.com>,
"frowand.list@...il.com" <frowand.list@...il.com>,
"Yamamoto, Masayuki" <Masayuki.Yamamoto@...y.com>,
"Nozawa, Hideki (STWN)" <Hideki.Nozawa@...y.com>,
"Yonezawa, Kota" <Kota.Yonezawa@...y.com>,
"Matsumoto, Toshihiko" <Toshihiko.Matsumoto@...y.com>,
"Watanabe, Satoshi (SSS)" <Satoshi.C.Watanabe@...y.com>
Subject: RE: [PATCH v4 00/12] [dt-bindings] [media] Add document file and
driver for Sony CXD2880 DVB-T2/T tuner + demodulator
> -----Original Message-----
> From: Philippe on Thursday, December 14, 2017 6:25 AM
> Dear Mauro,
>
> On Thu, Dec 14, 2017 at 11:55 AM, Mauro Carvalho Chehab
> <mchehab@...pensource.com> wrote:
>
> > SPDX is a new requirement that started late on Kernel 4.14 development
> > cycle (and whose initial changes were merged directly at Linus tree).
> > Not all existing files have it yet, as identifying the right license
> > on existing files is a complex task, but if you do a:
> >
> > $ git grep SPDX $(find . -name Makefile) $(find . -name Kconfig)
> >
> > You'll see that lot of such files have it already.
>
> FWIW, short of having SPDX tags, identifying the right license on
> existing files is not a super complex task: if boils down to running
> many diffs.
>
> Take the ~60K files in kernel, and about 6K license and notices
> reference texts. Then compute a pairwise diff of each of the 60K file
> against the 6K reference texts. Repeat the pairwise diff a few more
> times, say 10 times, as multiple licenses may appear in any given
> kernel file. And keep the diffs that have the fewest
> difference/highest similarity with the reference texts as the detected
> license. Done!
You can't do license detection and assignment in this automated fashion -
at least not generally.
Even a single word of difference between the notice in the source
code and the reference license notice or text may have legal implications
that are not conveyed by the simplified SPDX tag. When differences are
found, we're going to have to kick the discrepancies to a human for review.
This is especially true for files with multiple licenses.
For a work of original authorship, or a single copyright holder, the author
or copyright holder may be able to change the notice or text, or gloss
over any difference from the reference text, and make the SPDX assignment
(or even change the license, if they want). This would apply to something
new like this Sony driver. However, for code that is already in the kernel
tree, with likely multiple contributors, the legal situation gets a little
more murky.
I suspect the vast majority of the ~60k files will probably fall neatly into an
SPDX category, but I'm guessing a fair number (maybe hundreds) will require
some review and discussion.
-- Tim
Powered by blists - more mailing lists