lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOFm3uHNvGOh_ErxpG9VeHwMzHGvdoN5Xx_JSN8y+QhB32ivmw@mail.gmail.com>
Date:   Thu, 8 Feb 2018 15:35:17 +0100
From:   Philippe Ombredanne <pombredanne@...b.com>
To:     Joe Perches <joe@...ches.com>
Cc:     Rob Herring <robh@...nel.org>,
        Igor Stoppa <igor.stoppa@...wei.com>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Andy Whitcroft <apw@...onical.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH v6] checkpatch.pl: Add SPDX license tag check

 even
On Fri, Feb 2, 2018 at 8:06 PM, Joe Perches <joe@...ches.com> wrote:
> On Fri, 2018-02-02 at 12:27 -0600, Rob Herring wrote:
>> On Fri, Feb 2, 2018 at 9:49 AM, Igor Stoppa <igor.stoppa@...wei.com> wrote:
>> > On 02/02/18 17:40, Rob Herring wrote:
>> > > Add SPDX license tag check based on the rules defined in
>> >
>> > Shouldn't it also check that the license is compatible?
>> >
>>
>> Perhaps we shouldn't try to script legal advice.
>
> True.
>
> I believe what was meant was that the
> entry was a valid SPDX License entry
> that already exists as a specific file
> in the LICENSES/ path.
>
> So that entry must be some combination of:
>
> $ git ls-files LICENSES/ | cut -f3- -d'/' | sort
> BSD-2-Clause
> BSD-3-Clause
> BSD-3-Clause-Clear
> GPL-1.0
> GPL-2.0
> LGPL-2.0
> LGPL-2.1
> Linux-syscall-note
> MIT
> MPL-1.1
>
> From my perspective, it'd be better if the
> various + uses had their own individual
> license files in the LICENSES/ path.
>
> Right now, there are many missing licenses
> that are already used by various existing
> SPDX-License-Identifier: entries.
>
>
> APACHE-2.0
> BSD
> CDDL
> CDDL-1.0
> ISC
> GPL-1.0+
> GPL-2.0+
> LGPL-2.1+
> OpenSSL
>
> There are odd entries like:
>
> GPL-2.0-only
>
> Parentheses around AND/OR aren't consistent.

Joe,
I have a comprehensive license expressions checker/parser [1] in
Python ;) if it is ever needed, but that's likely overkill for the
kernel. (this is not in Perl for one thing and second it is based on a
boolean expression parser and minimizer, hence overkill for the
limited kernel use case IMHO)

However checking that licenses ids are known and listed in the kernel
doc is essential IMHO to avoid drift and insulate the kernel from SPDX
updates. Case in point  the new SPDX "GPL-2.0-only" is NOT what was
documented by tglx and therefore should not be used and banned until
we update the doc accordingly. and until we update ALL the GPL-2.0 to
GPL-2.0-only eventually which is best done at once. Otherwise, this is
going to be a total mess on top of a complicated topic that requires
quite a bit of maintainer energy!


[1] https://github.com/nexB/license-expression/
-- 
Cordially
Philippe Ombredanne

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ