lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190129052703.GA9753@kroah.com>
Date:   Tue, 29 Jan 2019 06:27:03 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Jonathan Corbet <corbet@....net>, Jessica Yu <jeyu@...nel.org>,
        Alan Cox <alan@...rguk.ukuu.org.uk>,
        Rusty Russell <rusty@...tcorp.com.au>,
        Christoph Hellwig <hch@....de>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Philippe Ombredanne <pombredanne@...b.com>
Subject: Re: [PATCH][RFC] module: Cure the MODULE_LICENSE "GPL" vs. "GPL v2"
 bogosity

On Mon, Jan 28, 2019 at 11:38:42PM +0100, Thomas Gleixner wrote:
> The original MODULE_LICENSE string for kernel modules licensed under the
> GPL v2 (only / or later) was simply "GPL", which was - and still is -
> completely sufficient for the purpose of module loading and checking
> whether the module is free software or proprietary.
> 
> In January 2003 this was changed with commit 3344ea3ad4b7 ("[PATCH]
> MODULE_LICENSE and EXPORT_SYMBOL_GPL support"). This commit can be found in
> the history git repository which holds the 1:1 import of Linus' bitkeeper
> repository:
> 
>   https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=3344ea3ad4b7c302c846a680dbaeedf96ed45c02
> 
> The main intention of the patch was to refuse linking proprietary modules
> against symbols exported with EXPORT_SYMBOL_GPL() at module load time.
> 
> As a completely undocumented side effect it also introduced the distinction
> between "GPL" and "GPL v2" MODULE_LICENSE() strings:
> 
>  *      "GPL"                           [GNU Public License v2 or later]
>  *      "GPL v2"                        [GNU Public License v2]
>  *      "GPL and additional rights"     [GNU Public License v2 rights and more]
>  *      "Dual BSD/GPL"                  [GNU Public License v2
>  *                                       or BSD license choice]
>  *      "Dual MPL/GPL"                  [GNU Public License v2
>  *                                       or Mozilla license choice]
> 
> This distinction was and still is wrong in several aspects:
> 
>  1) It broke all modules which were using the "GPL" string in the
>     MODULE_LICENSE() already and were licensed under GPL v2 only.
> 
>     A quick license scan over the tree at that time shows that at least 480
>     out of 1484 modules have been affected by this change back then. The
>     number is probably way higher as this was just a quick check for
>     clearly identifiable license information.
> 
>     There was exactly ONE instance of a "GPL v2" module license string in
>     the kernel back then - drivers/net/tulip/xircom_tulip_cb.c which
>     otherwise had no license information at all. There is no indication
>     that the change above is any way related to this driver. The change
>     happend with the 2.4.11 release which was on Oct. 9 2001 - so quite
>     some time before the above commit. Unfortunately there is no trace on
>     the intertubes to any discussion of this.
> 
>  2) The dual licensed strings became ill defined as well because following
>     the "GPL" vs. "GPL v2" distinction all dual licensed (or additional
>     rights) MODULE_LICENSE strings would either require those dual licensed
>     modules to be licensed under GPL v2 or later or just be unspecified for
>     the dual licensing case. Neither choice is coherent with the GPL
>     distinction.
> 
> Due to the lack of a proper changelog and no real discussion on the patch
> submission other than a few implementation details, it's completely unclear
> why this distinction was introduced at all. Other than the comment in the
> module header file exists no documentation for this at all.
> 
> From a license compliance and license scanning POV this distinction is a
> total nightmare.

Many thanks for digging through all of this, it should help out a lot:

Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ