lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20211216131522.4e7b148d@coco.lan>
Date:   Thu, 16 Dec 2021 13:15:22 +0100
From:   Mauro Carvalho Chehab <mchehab@...nel.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Lukas Bulwahn <lukas.bulwahn@...il.com>,
        Cai Huoqing <caihuoqing@...du.com>,
        linux-media@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>,
        linux-spdx@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: prefer generic SPDX-License expression to
 deprecated one

Em Thu, 16 Dec 2021 13:05:10 +0100
Greg Kroah-Hartman <gregkh@...uxfoundation.org> escreveu:

> On Thu, Dec 16, 2021 at 12:23:11PM +0100, Mauro Carvalho Chehab wrote:
> > Em Thu, 16 Dec 2021 11:31:32 +0100
> > Lukas Bulwahn <lukas.bulwahn@...il.com> escreveu:
> >   
> > > Commit 8d395ce6f04b ("media: dvb-core: Convert to SPDX identifier") and
> > > commit e67219b0496b ("media: b2c2: flexcop: Convert to SPDX identifier")
> > > introduce the SPDX-License expression LGPL-2.1-or-later for some files.
> > > 
> > > The command ./scripts/spdxcheck.py warns:
> > > 
> > >   drivers/media/dvb-core/dmxdev.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> > >   drivers/media/dvb-core/dvb_demux.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> > >   drivers/media/dvb-core/dvbdev.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> > >   drivers/media/common/b2c2/flexcop.c: 1:28 Invalid License ID: LGPL-2.1-or-later
> > > 
> > > The preferred SPDX expression for LGPL-2.1 or any later version is with
> > > the more generic "+"-extension for "any later version", so: LGPL-2.1+
> > > 
> > > This makes spdxcheck happy again.  
> > 
> > It doesn't sound right to apply such patch.
> > 
> > See, the latest SPDX version uses LGPL-2.1-or-later:
> > 
> > 	https://spdx.org/licenses/LGPL-2.1-or-later.html
> > 
> > And it deprecated LGPL-2.1+:
> > 
> > 	https://spdx.org/licenses/LGPL-2.1+.html
> > 
> > So, those files are perfectly fine with regards to SPDX, and are
> > adherent to its latest specs. We do need the latest specs on media,
> > as our documentation is under GFDL-1.1-no-invariants-or-later, which
> > only exists on newer SPDX versions.
> > 
> > So, the right thing to do here seems to fix spdxcheck.py, letting it
> > either allow both variants (as we probably don't want to replace it
> > everywhere) or to emit a warning if the deprecated ones are used.  
> 
> No, we are not going to add a "warning" for older SPDX versions like
> that, otherwise the majority of the kernel will start spitting out
> warnings.
> 
> Let's worry about actually fixing all of the files that do NOT have SPDX
> tags before even considering to move to a newer version of the spec.  We
> started this work before the FSF made the crazy change to their tags,
> let's not worry about any deprecated issues at the moment.

Yeah, agreed.

Thanks,
Mauro

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ