lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wh00UW9i+hGYjmLZW5MOAti9FFBarGBL909k5PfH4r2fg@mail.gmail.com>
Date:   Sat, 7 May 2022 10:30:34 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Miguel Ojeda <ojeda@...nel.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        rust-for-linux <rust-for-linux@...r.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        Alex Gaynor <alex.gaynor@...il.com>,
        Wedson Almeida Filho <wedsonaf@...gle.com>
Subject: Re: [PATCH v6 07/23] rust: import upstream `alloc` crate

On Fri, May 6, 2022 at 10:26 PM Miguel Ojeda <ojeda@...nel.org> wrote:
>
> This is a subset of the Rust standard library `alloc` crate,
> version 1.60.0, from:
>
>     https://github.com/rust-lang/rust/tree/1.60.0/library/alloc/src
>
> The files are copied as-is, with no modifications whatsoever
> (not even adding the SPDX identifiers).
>
> The next patch modifies [..]

Now, the next patch clarifies this, but I think that you should at
least mention the actual copyright license status here.

Yes, it's MIT/Apache, and yes, that's GPLv2 compatible, but that's not
obvious from this fairly large patch.

And when you then do things like "git blame" to look at where code
came from, you'll see all this code came in through a commit that says
"copied as-is" with just a link that may or may not be stable and
available to whoever looks at it then.

So keep the link for the actual details, but I think that when
importing big chunks like this it's just a good idea to make that
original license explicit rather than "look at that link".

Just saying "MIT or Apache" here, and then having the link as the
"here are the details" would make me happier.

I use git blame all the time to find who to contact when there are
issues, and in that kind of workflow it's fairly unhelpful to see some
reference to "The next patch".

So I agree whole-heartedly with the "import the original, do the
required changes separately", but I would like to see that original
import really explicitly clarify the license status, and not require
people to dig for it through external links.

              Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ