lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 16 Dec 2021 13:05:10 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Mauro Carvalho Chehab <mchehab@...nel.org>
Cc:     Lukas Bulwahn <lukas.bulwahn@...il.com>,
        Cai Huoqing <caihuoqing@...du.com>,
        linux-media@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
        linux-spdx@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: prefer generic SPDX-License expression to
 deprecated one

On Thu, Dec 16, 2021 at 12:23:11PM +0100, Mauro Carvalho Chehab wrote:
> Em Thu, 16 Dec 2021 11:31:32 +0100
> Lukas Bulwahn <lukas.bulwahn@...il.com> escreveu:
> 
> > Commit 8d395ce6f04b ("media: dvb-core: Convert to SPDX identifier") and
> > commit e67219b0496b ("media: b2c2: flexcop: Convert to SPDX identifier")
> > introduce the SPDX-License expression LGPL-2.1-or-later for some files.
> > 
> > The command ./scripts/spdxcheck.py warns:
> > 
> >   drivers/media/dvb-core/dmxdev.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> >   drivers/media/dvb-core/dvb_demux.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> >   drivers/media/dvb-core/dvbdev.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> >   drivers/media/common/b2c2/flexcop.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> > 
> > The preferred SPDX expression for LGPL-2.1 or any later version is with
> > the more generic "+"-extension for "any later version", so: LGPL-2.1+
> > 
> > This makes spdxcheck happy again.
> 
> It doesn't sound right to apply such patch.
> 
> See, the latest SPDX version uses LGPL-2.1-or-later:
> 
> 	https://spdx.org/licenses/LGPL-2.1-or-later.html
> 
> And it deprecated LGPL-2.1+:
> 
> 	https://spdx.org/licenses/LGPL-2.1+.html
> 
> So, those files are perfectly fine with regards to SPDX, and are
> adherent to its latest specs. We do need the latest specs on media,
> as our documentation is under GFDL-1.1-no-invariants-or-later, which
> only exists on newer SPDX versions.
> 
> So, the right thing to do here seems to fix spdxcheck.py, letting it
> either allow both variants (as we probably don't want to replace it
> everywhere) or to emit a warning if the deprecated ones are used.

No, we are not going to add a "warning" for older SPDX versions like
that, otherwise the majority of the kernel will start spitting out
warnings.

Let's worry about actually fixing all of the files that do NOT have SPDX
tags before even considering to move to a newer version of the spec.  We
started this work before the FSF made the crazy change to their tags,
let's not worry about any deprecated issues at the moment.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ