lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID:
 <MW5PR13MB56326322F7DC30A5A78C3D6AFD66A@MW5PR13MB5632.namprd13.prod.outlook.com>
Date: Fri, 6 Feb 2026 00:54:16 +0000
From: "Bird, Tim" <Tim.Bird@...y.com>
To: LINUX SPDX ML <linux-spdx@...r.kernel.org>,
        "linux-kbuild@...r.kernel.org"
	<linux-kbuild@...r.kernel.org>
CC: "luis.augenstein@...tech.com" <luis.augenstein@...tech.com>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        LKML
	<linux-kernel@...r.kernel.org>,
        "Alin.Jerpelea@...y.com"
	<Alin.Jerpelea@...y.com>,
        "Takuya.Namae@...y.com" <Takuya.Namae@...y.com>
Subject: Report on source files missing SPDX license ID lines, based on kernel
 sbom work

Hey kbuild and spdx people,

I recently tried out the SPDX SBOM generation tool posted by Luis Augenstein
a few weeks ago.  I was able to successfully produce some sbom output from
a defconfig x86 kernel build.  I then made a list of the files included in such
a build that are missing SDPX-License-Identifier lines.  It's not as many as you might
think.  Out of 6968 source files used for the build (as reported in the source sbom file),
only 566 were missing SPDX id lines.

This is a tractable number of files to fix, and will be the focus of my SPDX work
in the next few weeks.

Here is a breakdown of the top-level directories in a kernel source tree under which
these files (missing SPDX id lines) are found:
    51 arch
      4 crypto
    185 drivers
     18 fs
    222 include
      9 io_uring
      1 ipc
      2 kernel
     42 lib
      6 mm
     24 net
      2 sound

There are sboms, raw data files, and some tools at the following wiki page, if people
are interested in this work.
https://birdcloud.org/bc/Linux_Kernel_Missing_SPDX_ID_lines_from_build_SBOMs

I plan to update that page with sboms from an ARM64 build in the near future.

In any event, I post this merely as a data point for SPDX work.  I've already done some
work on the io_uring, ipc, kernel and mm directories, with patches making their way upstream.
Next, I plan to focus on the sound, security, net and lib directories. I'm just letting you
know what I'm up to.

If anyone wants to help out by working on adding missing SDPX-License-Identifier lines
to kernel source files, please let me know.  I've got some online resources that should
be helpful for this work.
See https://birdcloud.org/bc/Guidelines_for_fixing_Missing_SPDX_lines

Regards,
 -- Tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ