| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202507271940.F70685B2A9@keescook> Date: Sun, 27 Jul 2025 19:43:32 -0700 From: Kees Cook <kees@...nel.org> To: Sasha Levin <sashal@...nel.org> Cc: corbet@....net, linux-doc@...r.kernel.org, workflows@...r.kernel.org, josh@...htriplett.org, konstantin@...uxfoundation.org, linux-kernel@...r.kernel.org, rostedt@...dmis.org Subject: Re: [PATCH 4/4] agents: add legal requirements and agent attribution guidelines On Sun, Jul 27, 2025 at 03:58:02PM -0400, Sasha Levin wrote: > +Licensing Requirements > +---------------------- > + > +**GPL-2.0 License** > + The Linux kernel is licensed under GPL-2.0 only with a syscall exception. Coding agents MUST follow this licensing rule with no exceptions. Any code contributed must be compatible with this license. > + > +**SPDX License Identifiers** > + All files must have proper SPDX license identifiers. For most kernel source files, this should be the first line of the file in the appropriate comment format: > + > + - For C source/header files: ``// SPDX-License-Identifier: GPL-2.0`` > + - For scripts: ``# SPDX-License-Identifier: GPL-2.0`` > + - For documentation: ``.. SPDX-License-Identifier: GPL-2.0`` Again, all of this is redundant. And if the SPDX stuff *isn't* redundant, it needs to be listed somewhere else for humans. > +Signed-off-by Restriction > +------------------------- > + > +Coding assistants **MUST NOT** add a ``Signed-off-by`` tag pointing to themselves. The ``Signed-off-by`` tag represents a legal certification by a human developer that they have the right to submit the code under the open source license. > + > +Only the human user running the coding assistant should add their ``Signed-off-by`` tag to commits. The agent's contribution is acknowledged through the ``Co-developed-by`` tag as described below. This is unique to Agents. Yes, this is fine. > +Agent Attribution Requirement > +----------------------------- > + > +When creating commits, coding agents **MUST** identify themselves by including the following tag in the commit message:: > + > + Co-developed-by: $AGENT_NAME $AGENT_MODEL $AGENT_VERSION > + > +Examples: > + > +- ``Co-developed-by: Claude claude-3-opus-20240229`` > +- ``Co-developed-by: GitHub-Copilot GPT-4 v1.0.0`` > +- ``Co-developed-by: Cursor gpt-4-turbo-2024-04-09`` > + > +This transparency helps maintainers and reviewers understand that a coding agent was involved in the development process. This is fine too. But like I said before, you must update checkpatch.pl to not complain about Co-developed-by missing S-o-b when C-d-b lacks email address, and it should be part of this series. -Kees -- Kees Cook
Powered by blists - more mailing lists