lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 21 May 2019 23:34:19 -0700
From:   Joe Perches <joe@...ches.com>
To:     Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Thomas Gleixner <tglx@...utronix.de>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-spdx@...r.kernel.org
Subject: Re: [GIT PULL] SPDX update for 5.2-rc1 - round 1

On Wed, 2019-05-22 at 13:32 +0900, Masahiro Yamada wrote:
> On Tue, May 21, 2019 at 10:34 PM Greg KH <gregkh@...uxfoundation.org> wrote:
[]
> >  - Add GPL-2.0-only or GPL-2.0-or-later tags to files where our scan
> >     tools can determine the license text in the file itself.  Where this
> >     happens, the license text is removed, in order to cut down on the
> >     700+ different ways we have in the kernel today, in a quest to get
> >     rid of all of these.
[]
> I have been wondering for a while
> which version of spdx tags I should use in my work.
> 
> I know the 'GPL-2.0' tag is already deprecated.
> (https://spdx.org/licenses/GPL-2.0.html)
> 
> But, I saw negative reaction to this:
> https://lore.kernel.org/patchwork/patch/975394/
> 
> Nor "-only" / "-or-later" are documented in
> Documentation/process/license-rules.rst
> 
> In this patch series, Thomas used 'GPL-2.0-only' and 'GPL-2.0-or-later'
> instead of 'GPL-2.0' and 'GPL-2.0+'.
> 
> Now, we have a great number of users of spdx v3 tags.
> $ git grep -P 'SPDX-License-Identifier.*(?:-or-later|-only)'| wc -l
> 4135
> So, what I understood is:
> 
>   For newly added tags, '*-only' and '*-or-later' are preferred.
> 
> (But, we do not convert existing spdx v2 tags globally.)
> 
> 
> "
> Joe's patch was not merged, but at least
> Documentation/process/license-rules.rst
> should be updated in my opinion.
> 
> (Perhaps, checkpatch.pl can suggest newer tags in case
> patch submitters do not even know that deprecation.)

I'd still prefer the kernel use of a single SPDX style.

I don't know why the -only and -or-later forms were
used for this patch, but I like it.

I believe the -only and -or-later are more intelligible
as a trivial reading of

	SPDX-License-Identifier: GPL-2.0

would generally mean to me the original
GPL-2.0 license without the elision of the
(or at your option, any later version) bits

whereas

	SPDX-License-Identifier: GPL-2.0-only

seems fairly descriptive.

Is it agreed that the GPL-<v>-only and GPL-<v>-or-later
forms should be preferred for new SPDX identifiers?

If so, I'll submit a checkpatch patch.

I could also wire up a patch to checkpatch and docs to
remove the /* */
requirement for .h files and prefer
the generic // form for both .c and
.h files as the
current minimum tooling versions now all allow //
comments
.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ