lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ECADFF3FD767C149AD96A924E7EA6EAF40AE4BB5@USCULXMSG01.am.sony.com>
Date:   Thu, 14 Dec 2017 17:32:34 +0000
From:   "Bird, Timothy" <Tim.Bird@...y.com>
To:     Philippe Ombredanne <pombredanne@...b.com>,
        Mauro Carvalho Chehab <mchehab@...pensource.com>
CC:     "Takiguchi, Yasunari" <Yasunari.Takiguchi@...y.com>,
        "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "devicetree@...r.kernel.org" <devicetree@...r.kernel.org>,
        "linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
        "tbird20d@...il.com" <tbird20d@...il.com>,
        "frowand.list@...il.com" <frowand.list@...il.com>,
        "Yamamoto, Masayuki" <Masayuki.Yamamoto@...y.com>,
        "Nozawa, Hideki (STWN)" <Hideki.Nozawa@...y.com>,
        "Yonezawa, Kota" <Kota.Yonezawa@...y.com>,
        "Matsumoto, Toshihiko" <Toshihiko.Matsumoto@...y.com>,
        "Watanabe, Satoshi (SSS)" <Satoshi.C.Watanabe@...y.com>
Subject: RE: [PATCH v4 00/12] [dt-bindings] [media] Add document file and
 driver for Sony CXD2880 DVB-T2/T tuner + demodulator



> -----Original Message-----
> From: Philippe on Thursday, December 14, 2017 6:25 AM
> Dear Mauro,
> 
> On Thu, Dec 14, 2017 at 11:55 AM, Mauro Carvalho Chehab
> <mchehab@...pensource.com> wrote:
> 
> > SPDX is a new requirement that started late on Kernel 4.14 development
> > cycle (and whose initial changes were merged directly at Linus tree).
> > Not all existing files have it yet, as identifying the right license
> > on existing files is a complex task, but if you do a:
> >
> >         $ git grep SPDX $(find . -name Makefile) $(find . -name Kconfig)
> >
> > You'll see that lot of such files have it already.
> 
> FWIW, short of having SPDX tags, identifying the right license on
> existing files is not a super complex task: if boils down to running
> many diffs.
> 
> Take the ~60K files in kernel, and about 6K license and notices
> reference texts. Then compute a pairwise diff of each of the 60K file
> against the 6K reference texts. Repeat the pairwise diff a few more
> times, say 10 times, as multiple licenses may appear in any given
> kernel file. And keep the diffs that have the fewest
> difference/highest similarity with the reference texts as the detected
> license. Done!

You can't do license detection and assignment in this automated fashion - 
at least not generally.

Even a single word of difference between the notice in the source
code and the reference license notice or text may have legal implications
that are not conveyed by the simplified SPDX tag.  When differences are
found, we're going to have to kick the discrepancies to a human for review.
This is especially true for files with multiple licenses.

For a work of original authorship, or a single copyright holder, the author
or copyright holder may be able to change the notice or text, or gloss
over any difference from the reference text, and make the SPDX  assignment
(or even change the license, if they want).  This would apply to something
new like this Sony driver.  However, for code that is already in the kernel
tree, with likely multiple contributors, the legal situation gets a little
more murky.

I suspect the vast majority of the ~60k files will probably fall neatly into an
SPDX category, but I'm guessing a fair number (maybe hundreds) will require
some review and discussion.

 -- Tim


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ