lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <f9a4cd2b1c1cd7938a4e0b8aa9489a0ad96669ca.1534443693.git.joe@perches.com>
Date:   Thu, 16 Aug 2018 11:26:03 -0700
From:   Joe Perches <joe@...ches.com>
To:     Linus Torvalds <torvalds@...uxfoundation.org>,
        linux-kernel@...r.kernel.org
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Christoph Hellwig <hch@....de>,
        Russell King <rmk+kernel@...linux.org.uk>,
        Rob Herring <rob.herring@...aro.org>,
        Jonas Oberg <jonas@...e.org>,
        Andrew Morton <akpm@...uxfoundation.org>,
        Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: [PATCH] license-rules.rst and LICENSES: Use only spdx version 3 with -only and -or-later

The current linux-kernel source git tree has a mixture of the deprecated
spdx version 2 and the newer version 3 uses.

Update the process/license-rules.rst file to show only the version 3 style
and use only the version 3 styles in LICENSES.

Add a script to update all old versions in the tree as well.

I suggest this be applied and the script be run and applied immediately
after an -rc1.  The script could also be used at any time after the initial
use to update any other deprecated spdx license uses.

Signed-off-by: Joe Perches <joe@...ches.com>
---
 Documentation/process/license-rules.rst | 60 ++++++++++++++++-----------------
 LICENSES/preferred/GPL-2.0              |  6 ----
 LICENSES/preferred/LGPL-2.0             |  8 ++---
 LICENSES/preferred/LGPL-2.1             |  8 ++---
 scripts/update_spdx_v2_licenses.sh      | 15 +++++++++
 5 files changed, 53 insertions(+), 44 deletions(-)
 create mode 100755 scripts/update_spdx_v2_licenses.sh

diff --git a/Documentation/process/license-rules.rst b/Documentation/process/license-rules.rst
index 8ea26325fe3f..2b294611b6c1 100644
--- a/Documentation/process/license-rules.rst
+++ b/Documentation/process/license-rules.rst
@@ -16,12 +16,12 @@ The license described in the COPYING file applies to the kernel source
 as a whole, though individual source files can have a different license
 which is required to be compatible with the GPL-2.0::
 
-    GPL-1.0+  :  GNU General Public License v1.0 or later
-    GPL-2.0+  :  GNU General Public License v2.0 or later
-    LGPL-2.0  :  GNU Library General Public License v2 only
-    LGPL-2.0+ :  GNU Library General Public License v2 or later
-    LGPL-2.1  :  GNU Lesser General Public License v2.1 only
-    LGPL-2.1+ :  GNU Lesser General Public License v2.1 or later
+    GPL-1.0-or-later  :  GNU General Public License v1.0 or later
+    GPL-2.0-or-later  :  GNU General Public License v2.0 or later
+    LGPL-2.0-only     :  GNU Library General Public License v2 only
+    LGPL-2.0-or-later :  GNU Library General Public License v2 or later
+    LGPL-2.1-only     :  GNU Lesser General Public License v2.1 only
+    LGPL-2.1-or-later :  GNU Lesser General Public License v2.1 or later
 
 Aside from that, individual files can be provided under a dual license,
 e.g. one of the compatible GPL variants and alternatively under a
@@ -98,21 +98,21 @@ License identifier syntax
    "(", ")" .
 
    License identifiers for licenses like [L]GPL with the 'or later' option
-   are constructed by using a "+" for indicating the 'or later' option.::
+   are constructed by using the '-or-later' option.::
 
-      // SPDX-License-Identifier: GPL-2.0+
-      // SPDX-License-Identifier: LGPL-2.1+
+      // SPDX-License-Identifier: GPL-2.0-or-later
+      // SPDX-License-Identifier: LGPL-2.1-or-later
 
    WITH should be used when there is a modifier to a license needed.
    For example, the linux kernel UAPI files use the expression::
 
-      // SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note
-      // SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note
+      // SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note
+      // SPDX-License-Identifier: GPL-2.0-or-later WITH Linux-syscall-note
 
    Other examples using WITH exceptions found in the kernel are::
 
-      // SPDX-License-Identifier: GPL-2.0 WITH mif-exception
-      // SPDX-License-Identifier: GPL-2.0+ WITH GCC-exception-2.0
+      // SPDX-License-Identifier: GPL-2.0-only WITH mif-exception
+      // SPDX-License-Identifier: GPL-2.0-or-later WITH GCC-exception-2.0
 
    Exceptions can only be used with particular License identifiers. The
    valid License identifiers are listed in the tags of the exception text
@@ -123,28 +123,28 @@ License identifier syntax
    to be selected.  For example, some dtsi files are available under dual
    licenses::
 
-      // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+      // SPDX-License-Identifier: GPL-2.0-only OR BSD-3-Clause
 
    Examples from the kernel for license expressions in dual licensed files::
 
-      // SPDX-License-Identifier: GPL-2.0 OR MIT
-      // SPDX-License-Identifier: GPL-2.0 OR BSD-2-Clause
-      // SPDX-License-Identifier: GPL-2.0 OR Apache-2.0
-      // SPDX-License-Identifier: GPL-2.0 OR MPL-1.1
-      // SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) OR MIT
-      // SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause OR OpenSSL
+      // SPDX-License-Identifier: GPL-2.0-only OR MIT
+      // SPDX-License-Identifier: GPL-2.0-only OR BSD-2-Clause
+      // SPDX-License-Identifier: GPL-2.0-only OR Apache-2.0
+      // SPDX-License-Identifier: GPL-2.0-only OR MPL-1.1
+      // SPDX-License-Identifier: (GPL-2.0-only WITH Linux-syscall-note) OR MIT
+      // SPDX-License-Identifier: GPL-1.0-or-later OR BSD-3-Clause OR OpenSSL
 
    AND should be used if the file has multiple licenses whose terms all
    apply to use the file. For example, if code is inherited from another
    project and permission has been given to put it in the kernel, but the
    original license terms need to remain in effect::
 
-      // SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) AND MIT
+      // SPDX-License-Identifier: (GPL-2.0-only WITH Linux-syscall-note) AND MIT
 
    Another other example where both sets of license terms need to be
    adhered to is::
 
-      // SPDX-License-Identifier: GPL-1.0+ AND LGPL-2.1+
+      // SPDX-License-Identifier: GPL-1.0-or-later AND LGPL-2.1-or-later
 
 License identifiers
 -------------------
@@ -168,7 +168,7 @@ kernel, can be broken down into:
 
    Examples::
 
-      LICENSES/preferred/GPL-2.0
+      LICENSES/preferred/GPL-2.0-only
 
    Contains the GPL version 2 license text and the required metatags::
 
@@ -204,17 +204,17 @@ kernel, can be broken down into:
 
    File format examples::
 
-      Valid-License-Identifier: GPL-2.0
-      Valid-License-Identifier: GPL-2.0+
-      SPDX-URL: https://spdx.org/licenses/GPL-2.0.html
+      Valid-License-Identifier: GPL-2.0-only
+      Valid-License-Identifier: GPL-2.0-or-later
+      SPDX-URL: https://spdx.org/licenses/GPL-2.0-only.html
       Usage-Guide:
         To use this license in source code, put one of the following SPDX
 	tag/value pairs into a comment according to the placement
 	guidelines in the licensing rules documentation.
 	For 'GNU General Public License (GPL) version 2 only' use:
-	  SPDX-License-Identifier: GPL-2.0
+	  SPDX-License-Identifier: GPL-2.0-only
 	For 'GNU General Public License (GPL) version 2 or any later version' use:
-	  SPDX-License-Identifier: GPL-2.0+
+	  SPDX-License-Identifier: GPL-2.0-or-later
       License-Text:
         Full license text
 
@@ -338,7 +338,7 @@ kernel, can be broken down into:
 
       SPDX-Exception-Identifier: Linux-syscall-note
       SPDX-URL: https://spdx.org/licenses/Linux-syscall-note.html
-      SPDX-Licenses: GPL-2.0, GPL-2.0+, GPL-1.0+, LGPL-2.0, LGPL-2.0+, LGPL-2.1, LGPL-2.1+
+      SPDX-Licenses: GPL-2.0-only, GPL-2.0-or-later, GPL-1.0-or-later, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1-only, LGPL-2.1-or-later
       Usage-Guidance:
         This exception is used together with one of the above SPDX-Licenses
 	to mark user-space API (uapi) header files so they can be included
@@ -353,7 +353,7 @@ kernel, can be broken down into:
 
       SPDX-Exception-Identifier: GCC-exception-2.0
       SPDX-URL: https://spdx.org/licenses/GCC-exception-2.0.html
-      SPDX-Licenses: GPL-2.0, GPL-2.0+
+      SPDX-Licenses: GPL-2.0-only, GPL-2.0-or-later
       Usage-Guidance:
         The "GCC Runtime Library exception 2.0" is used together with one
 	of the above SPDX-Licenses for code imported from the GCC runtime
diff --git a/LICENSES/preferred/GPL-2.0 b/LICENSES/preferred/GPL-2.0
index ff0812fd89cc..cabbb1779d45 100644
--- a/LICENSES/preferred/GPL-2.0
+++ b/LICENSES/preferred/GPL-2.0
@@ -1,6 +1,4 @@
-Valid-License-Identifier: GPL-2.0
 Valid-License-Identifier: GPL-2.0-only
-Valid-License-Identifier: GPL-2.0+
 Valid-License-Identifier: GPL-2.0-or-later
 SPDX-URL: https://spdx.org/licenses/GPL-2.0.html
 Usage-Guide:
@@ -8,12 +6,8 @@ Usage-Guide:
   tag/value pairs into a comment according to the placement
   guidelines in the licensing rules documentation.
   For 'GNU General Public License (GPL) version 2 only' use:
-    SPDX-License-Identifier: GPL-2.0
-  or
     SPDX-License-Identifier: GPL-2.0-only
   For 'GNU General Public License (GPL) version 2 or any later version' use:
-    SPDX-License-Identifier: GPL-2.0+
-  or
     SPDX-License-Identifier: GPL-2.0-or-later
 License-Text:
 
diff --git a/LICENSES/preferred/LGPL-2.0 b/LICENSES/preferred/LGPL-2.0
index 957d798fe037..443c5569c4f5 100644
--- a/LICENSES/preferred/LGPL-2.0
+++ b/LICENSES/preferred/LGPL-2.0
@@ -1,15 +1,15 @@
-Valid-License-Identifier: LGPL-2.0
-Valid-License-Identifier: LGPL-2.0+
+Valid-License-Identifier: LGPL-2.0-only
+Valid-License-Identifier: LGPL-2.0-or-later
 SPDX-URL: https://spdx.org/licenses/LGPL-2.0.html
 Usage-Guide:
   To use this license in source code, put one of the following SPDX
   tag/value pairs into a comment according to the placement
   guidelines in the licensing rules documentation.
   For 'GNU Library General Public License (LGPL) version 2.0 only' use:
-    SPDX-License-Identifier: LGPL-2.0
+    SPDX-License-Identifier: LGPL-2.0-only
   For 'GNU Library General Public License (LGPL) version 2.0 or any later
   version' use:
-    SPDX-License-Identifier: LGPL-2.0+
+    SPDX-License-Identifier: LGPL-2.0-or-later
 License-Text:
 
 GNU LIBRARY GENERAL PUBLIC LICENSE
diff --git a/LICENSES/preferred/LGPL-2.1 b/LICENSES/preferred/LGPL-2.1
index 27bb4342a3e8..8738a8d578fa 100644
--- a/LICENSES/preferred/LGPL-2.1
+++ b/LICENSES/preferred/LGPL-2.1
@@ -1,15 +1,15 @@
-Valid-License-Identifier: LGPL-2.1
-Valid-License-Identifier: LGPL-2.1+
+Valid-License-Identifier: LGPL-2.1-only
+Valid-License-Identifier: LGPL-2.1-or-later
 SPDX-URL: https://spdx.org/licenses/LGPL-2.1.html
 Usage-Guide:
   To use this license in source code, put one of the following SPDX
   tag/value pairs into a comment according to the placement
   guidelines in the licensing rules documentation.
   For 'GNU Lesser General Public License (LGPL) version 2.1 only' use:
-    SPDX-License-Identifier: LGPL-2.1
+    SPDX-License-Identifier: LGPL-2.1-only
   For 'GNU Lesser General Public License (LGPL) version 2.1 or any later
   version' use:
-    SPDX-License-Identifier: LGPL-2.1+
+    SPDX-License-Identifier: LGPL-2.1-or-later
 License-Text:
 
 GNU LESSER GENERAL PUBLIC LICENSE
diff --git a/scripts/update_spdx_v2_licenses.sh b/scripts/update_spdx_v2_licenses.sh
new file mode 100755
index 000000000000..4d422cab600a
--- /dev/null
+++ b/scripts/update_spdx_v2_licenses.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# GPL variants without \+ that should use -only
+
+spdx_find='(SPDX-License-Identifier:\s[\s\(]*.*\bL?GPL-[12].[01])(\s|\)|$)'
+spdx_replace='\1-only\2'
+git grep -P --name-only "$spdx_find" -- './*' ':(exclude)LICENSES/' | \
+    xargs -r perl -p -i -e "s/$spdx_find/$spdx_replace/"
+
+# GPL variants with \+ that should use -or-later
+
+spdx_find='(SPDX-License-Identifier:\s[\s\(]*.*\bL?GPL-[12].[01])\+(\s|\)|$)'
+spdx_replace='\1-or-later\2'
+git grep -P --name-only "$spdx_find" -- './*' ':(exclude)LICENSES/' | \
+    xargs -r perl -p -i -e "s/$spdx_find/$spdx_replace/"
-- 
2.15.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ