lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20220913131219.27haxojlq5jbmycv@pengutronix.de>
Date:   Tue, 13 Sep 2022 15:12:19 +0200
From:   Uwe Kleine-König <u.kleine-koenig@...gutronix.de>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Marc Zyngier <maz@...nel.org>,
        Masahiro Yamada <masahiroy@...nel.org>,
        linux-kernel@...r.kernel.org,
        Christoph Hellwig <hch@...radead.org>, kernel@...gutronix.de,
        linux-spdx@...r.kernel.org,
        Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 0/2] SPDX tags for copyright

Hello Greg,

On Tue, Sep 13, 2022 at 01:14:04PM +0200, Greg KH wrote:
> On Tue, Sep 13, 2022 at 11:46:35AM +0200, Uwe Kleine-König wrote:
> > On Tue, Sep 13, 2022 at 10:20:27AM +0200, Greg KH wrote:
> > > On Mon, Sep 12, 2022 at 10:05:54PM -0700, Christoph Hellwig wrote:
> > > > On Fri, Sep 09, 2022 at 12:38:48AM +0200, Uwe Kleine-König wrote:
> > > > > for Debian packaging having SPDX license tags already simplifies
> > > > > creating the required copyright documentation considerably. Another
> > > > > information that is needed for Debian packaging is the copyright
> > > > > information. There is an SPDX way for copyright information, too. The
> > > > > second patch converts scripts/kallsyms.c to that mechanism as an example
> > > > > to maybe discuss if we want to do that in the kernel.
> > > > > 
> > > > > While the SPDX-FileCopyrightText is officially a free-form field, I
> > > > > suggest to just stick to the format
> > > > > 
> > > > > 	(<year> )?<copyright holder>
> > > > > 
> > > > > to simplify machine consumption even further.
> > > > 
> > > > (which doesn't sound bad), we'll clearly need to document the format
> > > > we want, and that people should use it.
> > > 
> > > There is a well-agreed-apon legal format for copyright lines already,
> > > and those lines should be fine in the comment text at the top of the
> > > file.  No need to mess with SPDX-FileWhateverTagWeWant type of stuff
> > > here at all as all of our tools can easily find those lines if they
> > > really want to extract the copyright information.
> > 
> > I didn't find a tool that can extract these informations in the
> > collection of scripts (i.e. below scripts/). Did I miss anything?
> 
> It's not in the kernel tree, sorry, there are external tools that can do
> this if you really want to.  Like 'grep' as you found :)
> 
> > What is that "well-agreed-upon legal format for copyright lines"?
> 
> There's a whole LF presentation that goes into all of the details on
> this that is free:
> 	https://training.linuxfoundation.org/training/open-source-licensing-basics-for-software-developers/
> and a short summary:
> 	https://www.linuxfoundation.org/blog/copyright-notices-in-open-source-software-projects/

Thanks for the link, will look into these.

> But many company legal departments have their own format and
> requirements so there might be variations.  Talk to your lawyers for
> what they require/recommend if you work for a company and want to put a
> copyright line in a file.

Just for the background: My focus is currently on consuming end of these
copyright lines. I want to package barebox for Debian and several files
in barebox are inherited from the kernel. Debian requires to sumarize
all licenses and copyrights in the package meta data. So formalizing
copyrights would simplify that copyright collecting.

> > Grepping a bit around, here are some examples:
> > 
> >  * Portions Copyright (c) 2004-2006 Silicon Graphics, Inc.
> >  * - Copyright (C) 2001 Junichi Morita <jun1m@...s.dti.ne.jp>
> >  * **Copyright** |copy| 1999-2020 : LinuxTV Developers
> >  * Copyright: |copy| 1995--1999 Martin Mares, <mj@....cz>
> >  * Copyright (c) 2000
> >    - Jorge Nerin <comandante@...alinux.com>
> >  * Ben Dooks, Copyright 2006 Simtec Electronics
> >  * Copyright, IBM Corp. 1999-2002
> >  * :copyright:  Copyright (C) 2016  Markus Heiser
> >  * Copyright (C) 2015 Atmel,
> >                  2015 Nicolas Ferre <nicolas.ferre@...el.com>
> > 
> > and this is just the unusal stuff I found in a few minutes.
> 
> And you need to get approval from all of those owners to change that
> text.  And the SPDX-Tag format will not help with this at all.

Oh really. I wouldn't consider it critical to replace

	Copyright (C) 2015 Atmel,
	              2015 Nicolas Ferre <nicolas.ferre@...el.com>

by

	SPDX-FileCopyrightText: 2015 Atmel
	SPDX-FileCopyrightText: 2015 Nicolas Ferre <nicolas.ferre@...el.com>

. But maybe that's only because I didn't consume the above presentation
yet.

> As you did a simple grep to find the above, finding copyright lines is
> not as difficult as determining license text variations that we
> currently are dealing with.
> 
> So what's the benefit of changing anything right now as no one is saying
> we have Copyright line identification issues?

The benefit is that parsing formalized information is easier, so I'd
prefer to invest time into getting the copyright information into
machine readable format instead of creating a script in a similar
timeframe that can determine all the variants available in the kernel
plus some checking by hand to convince myself I did it right.

> > > SPDX is great for license declarations, let's stick with only using that
> > > for now until we finish the whole kernel and then maybe we can worry
> > > about adding additional meta information if it's really decided it can
> > > benifit anyone.
> > 
> > When converting a file to use SPDX-License-Identifier adding the SPDX
> > copyright stuff in the same commit might save some churn?!
> 
> Again, we aren't recommending to touch copyright lines at all with the
> current SPDX stuff.  Let's focus on licenses first please, that effort
> is not yet complete.
> 
> > Wasn't the situation with licenses similar before SPDX was in use? i.e.
> > there are scripts that more or less reliably determine the license of a
> > given file. But the "more or less" part results in some unease and so a
> > formalism was introduced.
> 
> License and copyright are two different things, and different groups
> interact with them.  The SPDX effort on the kernel was started to
> resolve the license questions that people had.  If you wish to also
> address any potential copyright issue, wonderful, please work with the
> legal groups involved to get them to agree that using the SPDX tag is an
> ok thing to do.  But until that happens, let's leave that alone and just
> stick with the text lines for now.

Getting some discussion about what is a sensible way forward was the
intention of my patch. 

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | https://www.pengutronix.de/ |

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ