lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c3aa1b37-60bb-aceb-10ba-9768157a2a5a@gentoo.org>
Date:   Mon, 11 Feb 2019 00:08:32 +0100
From:   Kristian Fiskerstrand <k_f@...too.org>
To:     Domenico Andreoli <domenico.andreoli@...ux.com>,
        Ben Finney <bignose@...ian.org>
Cc:     Nadia Yvette Chambers <nyc@...omorphy.com>,
        Arnaldo Carvalho de Melo <acme@...hat.com>,
        919356@...s.debian.org, debian-legal@...ts.debian.org,
        linux-kernel@...r.kernel.org
Subject: Re: Licensing of include/linux/hash.h

On 1/23/19 9:50 AM, Domenico Andreoli wrote:
> Ben Finney <bignose@...ian.org> writes:
>> Domenico Andreoli <cavok@...ian.org> writes:
>>
>>>   the situation of dwarves-dfsg improved a lot over the weekend
>>
>> That's good to hear. What is the event you're referring to? Can you give
>> a URL to something that describes this change?
> 
> Upstream (in CC) reacted to my request of clarification and patches
> have been applied upstream and on Salsa. See bug 919356 [0] (please
> keep in CC).
> 
>>> the only knot left is now the license of hash.h
>>>
>>> This file is also present in the kernel [0] with an updated copyright
>>> but still without license.
>>
>> The file you show (in the Linux code base) seems likely to have an
>> equivalent implementation under a different license, from some other
>> code base.
> 
> This will require research and work unlikely to be done before Buster
> release. Are we going to drop this package for now?
> 
>>> I received a private email from somebody in the kernel community who
>>> already tried to contact Nadia in the past but did not get any reply.
>>
>> Thank you also for contacting the Linux developers forum to ask
>> <URL:https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1900588.html>.
> 
> (also in CC now)
> 
>>> I think that pushing it to non-free is formally the right thing but I
>>> actually feel it's not the right thing.
>>
>> To know that work (that file) is free software, we need a clear grant of
>> some specific license, for that work.
>>
>> If the work is not free, it would be incorrect to have the work in Debian.
> 
> Is it possible that for the kernel it is instead correct because it is,
> as whole, covered by its COPYING?
> 
>> Alternatives, for complying with the Debian Free Software Guidelines with
>> this package, include:
>>
>> * Find a credible grant of license under some GPL-compatible free
>>   license to that exact file. Document that explicit grant in the Debian
>>   package. This demonstrates the work is DFSG-free.
>>
>> * Convince ‘dwarves-dfsg’ upstream to replace that file with a different
>>   implementation (I don't know whether such an implementation exists)
>>   under a license compatible with the same version of GNU GPL. Document
>>   that explicit grant in the Debian package. This demonstrates the
>>   modified work is DFSG-free.
> 
> Arnaldo, what priority would you give to this task?
> 
>>
>> * Replace that file in Debian only, with a different implementation as
>>   above. Document that explicit grant in the Debian package. This
>>   demonstrates the modified Debian package is DFSG-free.
>>
>> * Move the work to the ‘non-free’ area.
>>
>> * Remove the work altogether.
>>
>> Those are in descending order of (my recommended) preference.
> 
> Thanks,
> Domenico
> 
> [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919356
> 

It was [pointed out] by one of our license group that [hash.h]  is the
same that has a GPL-2+ in [fio] which has a signed-off-by.

References:
[pointed out]
https://bugs.gentoo.org/677586#c1

[hash.h]
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/fio.git/commit/hash.h?id=bdc7211e190482f0c17c109a0d90834a6611be1c

[fio]
https://metadata.ftp-master.debian.org/changelogs/main/f/fio/fio_3.12-2_copyright



-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ