lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.1901302248430.8200@nanos.tec.linutronix.de>
Date:   Wed, 30 Jan 2019 23:00:15 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Alan Cox <alan@...yncelyn.cymru>
cc:     Rusty Russell <rusty@...tcorp.com.au>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        Jonathan Corbet <corbet@....net>, Jessica Yu <jeyu@...nel.org>,
        Alan Cox <alan@...rguk.ukuu.org.uk>,
        Christoph Hellwig <hch@....de>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Philippe Ombredanne <pombredanne@...b.com>
Subject: Re: [PATCH][RFC] module: Cure the MODULE_LICENSE "GPL" vs. "GPL v2"
 bogosity

On Wed, 30 Jan 2019, Alan Cox wrote:
> On Wed, 30 Jan 2019 15:31:20 +1030
> Rusty Russell <rusty@...tcorp.com.au> wrote:
> 
> > Thanks taking on such a thankless task Thomas,
> > 
> > Might have been overzealous in assuming a verionless GPL string meant
> > "or later" (I'm happy for that for my own code, FWIW).  My memory is
> > fuzzy, but I don't think anyone cared at the time.
> 
> Versionless always meant 'or later' outside of the tags. It's the default
> version of the licence. (Whether v2 only has any meaning beyond intent is
> another debate that I guess some year a lawyer will have to figure out).
> 
> I think the description change makes sense given the ambiguity and the
> fact we now have SPDX headers. (IANAL etc)
> 
> > >  2) The dual licensed strings became ill defined as well because following
> > >     the "GPL" vs. "GPL v2" distinction all dual licensed (or additional
> 
> The dual ones were IMHO a mistake. They should just have used GPL and
> additional rights. Either you have GPL rights (and it's ok to use in the
> kernel) or you don't (and it's proprietary and the rest is down to
> derivative works).
> 
> We don't actually care whether its dual licensed BSD, or whether it
> merely grants you an additional right to cheap pizza.

Actually for the purpose of module loading the only relevant information is
whether there are GPL rights or not. Whether there are additional rights is
irrelevant for the binary blob. That only matters vs. the source code
itself.

> > > As of 5.0-rc2 2873 out of 9200 instances of MODULE_LICENSE() strings are
> > > conflicting with the actual license in the source code (either SPDX or
> > > license boilerplate/reference). A comparison between the scan of the
> 
> The SPDX tag isn't correctly capable of expressing the licence anyway. If
> you have functions in a file and two of them are GPL v2+ and someone
> added a GPLv2 only one and updated the header there isn't a valid SPDX tag
> for it because I can still use the GPLv2+ bits with GPLv3.
 >
> This is nothing new - the headers on the files provided no more data on
> that and took up lots more space 8) We've simply never tracked licence
> data by line.

Correct, there are files which have both a v2 only and a v2 or later
boilerplate and there is no way to figure out what that actually means for
the affected source file.

I found a recent patch adding the v2 or later boilerplate right next to the
v2 only and the patch content is mostly fiddling with the existing code.

Most people simply do not care and I'd say most do not understand what
licensing means in the first place. But at the same time a lot of people do
not care at all what they are doing.

Thanks,

	tglx





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ