lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 29 Dec 2017 23:17:54 +0100
From:   Philippe Ombredanne <pombredanne@...b.com>
To:     "Theodore Ts'o" <tytso@....edu>, Joe Perches <joe@...ches.com>,
        Philippe Ombredanne <pombredanne@...b.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...uxfoundation.org>,
        Andrew Morton <akpm@...uxfoundation.org>,
        Jonathan Corbet <corbet@....net>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Christoph Hellwig <hch@....de>,
        Russell King <rmk+kernel@...linux.org.uk>,
        Rob Herring <rob.herring@...aro.org>,
        Jonas Oberg <jonas@...e.org>, xfs <linux-xfs@...r.kernel.org>,
        Charlemagne Lasse <charlemagnelasse@...il.com>,
        Carmen Bianca Bakker <carmenbianca@...e.org>,
        "Darrick J. Wong" <darrick.wong@...cle.com>,
        Heiko Carstens <heiko.carstens@...ibm.com>
Subject: Re: [patch V5 01/11] Documentation: Add license-rules.rst to describe
 how to properly identify file licenses

On Fri, Dec 29, 2017 at 7:54 PM, Theodore Ts'o <tytso@....edu> wrote:
> On Fri, Dec 29, 2017 at 08:19:59AM -0800, Joe Perches wrote:
>>
>> Has it been legally reviewed and accepted that removal
>> of the BSD license text from individual source files is
>> appropriate and meets the legal requirements of
>> following the BSD license on a per-file basis?
>>
>> And if so, who did this review?
>>
>> Is there any license that does not allow removal of the
>> license text and does not allow simple substitution of
>> the SPDX license identifier in each individual file?
>
> The work to use SPDX lines instead of individual licenses was done by
> Greg K-H in close consultation with Linux Foundation counsels, so I
> would assume that they did look at that particular issue.

This is correct. And this is in addition to the discussion in the SPDX
group  at the LF (that includes several FOSS-savvy and prominent FOSS
lawyers) that did design the SPDX spec.

> IANAL, but I've talked to lawyers about this issue, and in my
> experience if you talk to three lawyers you will easily get six
> opinions.

And that's on a good day: you may get more than six on a bad one. But
on the other hand, they tend also to defer to standards, and
established community norms.

> As far as I know, none of the licenses explicitly say
> copyright license must be on each file.  Just that the distribution of
> source must include the copyright and license statement.  Exactly how
> that is done is not explicitly specified.

This is also my take. What is done here is not much different than
refactoring duplicated code so it leaves in a single place:

- by "value" at the root in COPYING and in the Documentation.
- by "reference" in the code proper as SPDX ids.

Therefore essential and common requirements to include the license
text is fulfilled in the kernel.

Note that there are a few offenders that will need to clean up their
acts as they came up will both long and "un-removable and
un-alterable" crazy legalese blurbs [1] prefix this:

"DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER"

These will have to be taken care on a case by case basis. These are
pretty stupid and IMHO should have never been allowed to be added to
the kernel in the first place and are ugly warts. It could very well
be that these are not really GPL-compliant notices FWIW: keeping
notices and copyrights is quite different from a restriction of
altering things by moving them around which is exactly what is
happening with the SPDX-ification here.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/staging/lustre/include/linux/libcfs/libcfs.h?h=v4.15-rc5#n5

-- 
Cordially
Philippe Ombredanne

Powered by blists - more mailing lists