| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Feb 2018 15:35:17 +0100
From: Philippe Ombredanne <pombredanne@...b.com>
To: Joe Perches <joe@...ches.com>
Cc: Rob Herring <robh@...nel.org>,
Igor Stoppa <igor.stoppa@...wei.com>,
Kate Stewart <kstewart@...uxfoundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Andy Whitcroft <apw@...onical.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH v6] checkpatch.pl: Add SPDX license tag check
even
On Fri, Feb 2, 2018 at 8:06 PM, Joe Perches <joe@...ches.com> wrote:
> On Fri, 2018-02-02 at 12:27 -0600, Rob Herring wrote:
>> On Fri, Feb 2, 2018 at 9:49 AM, Igor Stoppa <igor.stoppa@...wei.com> wrote:
>> > On 02/02/18 17:40, Rob Herring wrote:
>> > > Add SPDX license tag check based on the rules defined in
>> >
>> > Shouldn't it also check that the license is compatible?
>> >
>>
>> Perhaps we shouldn't try to script legal advice.
>
> True.
>
> I believe what was meant was that the
> entry was a valid SPDX License entry
> that already exists as a specific file
> in the LICENSES/ path.
>
> So that entry must be some combination of:
>
> $ git ls-files LICENSES/ | cut -f3- -d'/' | sort
> BSD-2-Clause
> BSD-3-Clause
> BSD-3-Clause-Clear
> GPL-1.0
> GPL-2.0
> LGPL-2.0
> LGPL-2.1
> Linux-syscall-note
> MIT
> MPL-1.1
>
> From my perspective, it'd be better if the
> various + uses had their own individual
> license files in the LICENSES/ path.
>
> Right now, there are many missing licenses
> that are already used by various existing
> SPDX-License-Identifier: entries.
>
>
> APACHE-2.0
> BSD
> CDDL
> CDDL-1.0
> ISC
> GPL-1.0+
> GPL-2.0+
> LGPL-2.1+
> OpenSSL
>
> There are odd entries like:
>
> GPL-2.0-only
>
> Parentheses around AND/OR aren't consistent.
Joe,
I have a comprehensive license expressions checker/parser [1] in
Python ;) if it is ever needed, but that's likely overkill for the
kernel. (this is not in Perl for one thing and second it is based on a
boolean expression parser and minimizer, hence overkill for the
limited kernel use case IMHO)
However checking that licenses ids are known and listed in the kernel
doc is essential IMHO to avoid drift and insulate the kernel from SPDX
updates. Case in point the new SPDX "GPL-2.0-only" is NOT what was
documented by tglx and therefore should not be used and banned until
we update the doc accordingly. and until we update ALL the GPL-2.0 to
GPL-2.0-only eventually which is best done at once. Otherwise, this is
going to be a total mess on top of a complicated topic that requires
quite a bit of maintainer energy!
[1] https://github.com/nexB/license-expression/
--
Cordially
Philippe Ombredanne
Powered by blists - more mailing lists