lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YyBl/FUVndtEFkW9@kroah.com>
Date:   Tue, 13 Sep 2022 13:14:04 +0200
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Uwe Kleine-König 
        <u.kleine-koenig@...gutronix.de>
Cc:     Christoph Hellwig <hch@...radead.org>,
        Marc Zyngier <maz@...nel.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        linux-kernel@...r.kernel.org, kernel@...gutronix.de,
        linux-spdx@...r.kernel.org,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 0/2] SPDX tags for copyright

On Tue, Sep 13, 2022 at 11:46:35AM +0200, Uwe Kleine-König wrote:
> Hello,
> 
> [dropped Kai Germaschewski as his email address doesn't work]
> 
> On Tue, Sep 13, 2022 at 10:20:27AM +0200, Greg KH wrote:
> > On Mon, Sep 12, 2022 at 10:05:54PM -0700, Christoph Hellwig wrote:
> > > On Fri, Sep 09, 2022 at 12:38:48AM +0200, Uwe Kleine-König wrote:
> > > > Hello,
> > > > 
> > > > for Debian packaging having SPDX license tags already simplifies
> > > > creating the required copyright documentation considerably. Another
> > > > information that is needed for Debian packaging is the copyright
> > > > information. There is an SPDX way for copyright information, too. The
> > > > second patch converts scripts/kallsyms.c to that mechanism as an example
> > > > to maybe discuss if we want to do that in the kernel.
> > > > 
> > > > While the SPDX-FileCopyrightText is officially a free-form field, I
> > > > suggest to just stick to the format
> > > > 
> > > > 	(<year> )?<copyright holder>
> > > > 
> > > > to simplify machine consumption even further.
> > > 
> > > Adding the linux-spdx list and Linus.  If we go with this format
> 
> Ah, didn't know about the spdx list (and didn't dare to bother Linus
> with that). Thanks!
> 
> > > (which doesn't sound bad), we'll clearly need to document the format
> > > we want, and that people should use it.
> > 
> > There is a well-agreed-apon legal format for copyright lines already,
> > and those lines should be fine in the comment text at the top of the
> > file.  No need to mess with SPDX-FileWhateverTagWeWant type of stuff
> > here at all as all of our tools can easily find those lines if they
> > really want to extract the copyright information.
> 
> I didn't find a tool that can extract these informations in the
> collection of scripts (i.e. below scripts/). Did I miss anything?

It's not in the kernel tree, sorry, there are external tools that can do
this if you really want to.  Like 'grep' as you found :)

> What is that "well-agreed-upon legal format for copyright lines"?

There's a whole LF presentation that goes into all of the details on
this that is free:
	https://training.linuxfoundation.org/training/open-source-licensing-basics-for-software-developers/
and a short summary:
	https://www.linuxfoundation.org/blog/copyright-notices-in-open-source-software-projects/

But many company legal departments have their own format and
requirements so there might be variations.  Talk to your lawyers for
what they require/recommend if you work for a company and want to put a
copyright line in a file.

> Grepping a bit around, here are some examples:
> 
>  * Portions Copyright (c) 2004-2006 Silicon Graphics, Inc.
>  * - Copyright (C) 2001 Junichi Morita <jun1m@...s.dti.ne.jp>
>  * **Copyright** |copy| 1999-2020 : LinuxTV Developers
>  * Copyright: |copy| 1995--1999 Martin Mares, <mj@....cz>
>  * Copyright (c) 2000
>    - Jorge Nerin <comandante@...alinux.com>
>  * Ben Dooks, Copyright 2006 Simtec Electronics
>  * Copyright, IBM Corp. 1999-2002
>  * :copyright:  Copyright (C) 2016  Markus Heiser
>  * Copyright (C) 2015 Atmel,
>                  2015 Nicolas Ferre <nicolas.ferre@...el.com>
> 
> and this is just the unusal stuff I found in a few minutes.

And you need to get approval from all of those owners to change that
text.  And the SPDX-Tag format will not help with this at all.

As you did a simple grep to find the above, finding copyright lines is
not as difficult as determining license text variations that we
currently are dealing with.

So what's the benefit of changing anything right now as no one is saying
we have Copyright line identification issues?

> > SPDX is great for license declarations, let's stick with only using that
> > for now until we finish the whole kernel and then maybe we can worry
> > about adding additional meta information if it's really decided it can
> > benifit anyone.
> 
> When converting a file to use SPDX-License-Identifier adding the SPDX
> copyright stuff in the same commit might save some churn?!

Again, we aren't recommending to touch copyright lines at all with the
current SPDX stuff.  Let's focus on licenses first please, that effort
is not yet complete.

> Wasn't the situation with licenses similar before SPDX was in use? i.e.
> there are scripts that more or less reliably determine the license of a
> given file. But the "more or less" part results in some unease and so a
> formalism was introduced.

License and copyright are two different things, and different groups
interact with them.  The SPDX effort on the kernel was started to
resolve the license questions that people had.  If you wish to also
address any potential copyright issue, wonderful, please work with the
legal groups involved to get them to agree that using the SPDX tag is an
ok thing to do.  But until that happens, let's leave that alone and just
stick with the text lines for now.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ