SPDX tag question

Message ID	20180308175528.GH6773@mellanox.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <linux-rdma-owner@kernel.org> Date: Thu, 8 Mar 2018 10:55:28 -0700 From: Jason Gunthorpe <jgg@mellanox.com> To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Kate Stewart <kstewart@linuxfoundation.org>, Philippe Ombredanne <pombredanne@nexb.com>, Thomas Gleixner <tglx@linutronix.de>, linux-rdma@vger.kernel.org, Doug Ledford <dledford@redhat.com> Subject: SPDX tag question Message-ID: <20180308175528.GH6773@mellanox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Received-SPF: None (protection.outlook.com: mellanox.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1PR0501MB2860; 23:qazFrtC6wp/3dMJ7VdEKHMFwy7/hn4c3OAJ+K1c?= =?us-ascii?Q?VS9YWzbyvfDH+VwZoWR/qyYpDkpcxUGo9VmXwg7JzWQ4Z31HRvtHonMTjlnr?= =?us-ascii?Q?tEVNuG2CRNBpMZG8PoYhpjqpNwqRDctYeXX8OJaYlGJEIMYuX1xS1yvQDrBt?= =?us-ascii?Q?x3MKZYsTf6QvNRhqMkCekWDnGjYMYGB6BxLLxKtHOYImcaGrKbmKnEuuDBGX?= =?us-ascii?Q?gajQmWk6ItR63PtyzMZvVZG/j2NAdUkFpof/mHFkEi9tHHn35wGhOpC0NCHY?= =?us-ascii?Q?DaWuLM//4boZpo0+KG56Lskv3zDMUT0wUAkaiD+7leDNm5JoqkczZDPhCPx7?= =?us-ascii?Q?fpVubDOafuWpOphMcw4ehzWdAWh0Zopq3OI3C4fPAeYPwYLNe7qUzHHlnq9Z?= =?us-ascii?Q?z6F4WR46NAcMZr/zVfkfv6eQA9O6sqnExMo3V87DNq5PxNemM12KiQJrHsQj?= =?us-ascii?Q?Ge4E2WEjLMnIul5PfP/kPa/TZ3buDx0y+sBWrKIerocDufykAuXsR31P3Tb1?= =?us-ascii?Q?tKwemWEq39aCxBI6/2vKrtAsY7YbAKpuWVP8rqcMx7cR3ecB3/zFqlXS+gcO?= =?us-ascii?Q?FDCVRwwOzX/Vzr4KgjuPUJciQmQzPLbJJXlRb1FTRLlG99bo2Q+7PZ8ZD2zl?= =?us-ascii?Q?+Q/UO+/BoaQdbBL2Q6ULom5zhtj+PA0AOPO7OIX0bDA28uT5bd8XVodbH7HS?= =?us-ascii?Q?ylDP8hIZXRDj+52u+zOCZQjkkfI0Qo9CXAfBVrEl5kl6n1sZpusjzW8ImzD9?= =?us-ascii?Q?dFuqLpb9cB3akMvOX8HHluDpuBVPv7oQd795iLzU5e8Q8uHjimRoTuoE56Ss?= =?us-ascii?Q?9vBZ8cIgW9fJjiO+DaauWGlRoj+apfzLdWMQ6pYR94Vh7QxEcegYpSzIdPNz?= =?us-ascii?Q?btA6xb9Y6X1k4W/qJ8o6EI5xXsJ6v3EWpk6WnmDE9MScY/lUBDaJ5UJR9B6K?= =?us-ascii?Q?JnDQFRL/oGvkNekWcSkvzB8jUi2xENOTyDe6Jgb6yHwfRa3Sn/2GYspwMWv2?= =?us-ascii?Q?E34I9ibrOCpjd6YPAZ9iUBBmdVDRrF4zsc99HN79IzJELQCRFrBftRMQk+7H?= =?us-ascii?Q?JZsMliuXo3KD90pxWF+11RsdNcrCqrX5F+w7ljYz3DLscskNyFnfGy+5IUMz?= =?us-ascii?Q?oJDcnyGRr8XwVnyjyYKneZLrz4c00cuBENRr5zeg2VdA4PtDLruaB0YznIU/?= =?us-ascii?Q?TMsXFS69AI9k3pP48DdzJ+SFR8u+9+hLIn0rXEP+hm3SL48J4UYiEYLLibd8?= =?us-ascii?Q?ML4QXf2sHLXKsISvoc6g=3D?= X-Microsoft-Antispam-Message-Info: hZsT7jQJFdrelsd/iQb12NdqmK3kvpCHQJONBxJEjb9SCla0zgbuCNamU1SV6duRPaiKBJxKfQKd/UtGkG5sKGPL+HUx7Np2xWWULYcxMnURuIoEVDyca3pChdru2Md+9QrSh6U/0HzEKURA6ywMPWH3pq4L8kJN8tFR4ehnd3lWyVLYxAWOT6eE8+0EHL21 X-Microsoft-Exchange-Diagnostics: 1; HE1PR0501MB2860; 6:gBHqG+C6yqfA6M8bRuz1c+wbgTaQiTpAu+/lefUipLfUj8vRdW7mLsm5YuEUNmZDvqtpo5e8JtcLyS4zAv0ZO1qm0tm17M2t5/XoB8Im7+tnEalcKBXzuD6J3Uf81vWnN8Pzpafq4JQRfsTJNr7lx1SZcjz2ue0TxbOcA25BZdCBo8FfCnzdyBkokHnDz8Fs2ObajnisyTof0HxS7B9NG4KnwM8sAh+J7ANW4xO53pNh1G3g/HvyOJYXm7AphmhnenDNsWZZc2wl+JwwTtwk3g+33hLMza9oD4MTSpRQLWlXOSk6uGcwB2ZF3iAX0uLXOMQqQhJkFKFcCKee81dkkYotTWhez/x4Ur0y/xpEkDg=; 5:e3Fji6zomx7aNoUOGRS79a6v5fePAW8yGnGP5J9oIEiQ4dNUnA30DsTiX0uCLQHp1GEYcHoAxdvZfqtM2oZirJAJUksrrK+7yCzjk37h6NiZGqv/PGek9Oi0zJZimzmjdmjld2wwIcWAREIjLiqP4UobIl+Gu6DPRcCiz1K6y1U=; 24:FsdV1x58NDPu8dZFQEFFaH39ES7uqt3Uk7gd4go1ejkquYuC4A8xOS1+DvAEZq+nowxiOxCKdIFELAWH3UErjXtYzpKvF9cX1UMS/DJ5+ao=; 7:Qinkoh6Sg+eOoAFEbonItq0xRex3NYBLCRG0AhrwrzPUHqEak7eeZG7WpnpnrgIKSRMCyOGa2YH4xSjewABwoHF4X7A/bNlXd4QjKi+J7e5JdXa68x8CVw2olgVPCePwPYivBxxUIX9cp8U9ZA4JD3dCO5obY+1Q9QavK2ACzLS22+URp4rimPNB4JdKqAV48Q1JL/fRnQMYCRluZZtN6/BmDjUlD9xQCqjovOw0gj0wNMViVZ1j0Hu3sI1sHhxY SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk

Jason Gunthorpe March 8, 2018, 5:55 p.m. UTC

Hi Greg & Co,

A question has come up in the infiniband/rdma space about what SPDX
license headers to use for some of our files.

I see in commit e2be04c7f9958dde770eeb8b30e829ca969b37bb you added
this header:

the same conclusion.

The license in this file does not have the same 'disclaimer' text as
the reference BSD-2-Clause, which sounds like it shouldn't match based
on guideline 2.1.1 ?

Specifically, the so-called 'OpenIB.org BSD license' is a mash up of
the first half of the 2 clause BSD license with the disclaimer
replaced with the disclaimer from the MIT license.

As I read the SPDX rules this license seems like it needs a new tag?

Alternatively, we can keep using the BSD-2-Clause tag if it was
determined that is correct for some reason?

Can you shed any light on this topic?

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Greg KH March 10, 2018, 8:06 p.m. UTC | #1

On Thu, Mar 08, 2018 at 10:55:28AM -0700, Jason Gunthorpe wrote:
> Hi Greg & Co,
> 
> A question has come up in the infiniband/rdma space about what SPDX
> license headers to use for some of our files.

Which is a huge hint you should probably make it a lot simpler :)

> I see in commit e2be04c7f9958dde770eeb8b30e829ca969b37bb you added
> this header:
> 
> --- a/include/uapi/rdma/ib_user_sa.h
> +++ b/include/uapi/rdma/ib_user_sa.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) */
>  /*
> 
> However, following the matching guidelines at spdx.org, I don't get to
> the same conclusion.

Please read the text in Documentation/process/license_rules.rst for the
matching guidelines here.  It did diverge a bit from spdx, but not in a
way that should be incompatible.

> The license in this file does not have the same 'disclaimer' text as
> the reference BSD-2-Clause, which sounds like it shouldn't match based
> on guideline 2.1.1 ?

Then please tell me what exact license that file is trying to express,
as it really looks like BSD-2-Clause to me.  What were you intending to
state here, something other than BSD-2?  It better have not been a
"custom" one :)

> Specifically, the so-called 'OpenIB.org BSD license' is a mash up of
> the first half of the 2 clause BSD license with the disclaimer
> replaced with the disclaimer from the MIT license.

Horrid mess, why in the world would you all do that :(

> As I read the SPDX rules this license seems like it needs a new tag?

Or fix the license of the text to be sane please, there's no need to
make yet-another-license for something as "simple" as BSD-2-clause.

Or even better, just drop the BSD mess, and stick with GPLv2 with
syscall exception, which I'm pretty sure gives you everything you really
want here anyway, right?

> Alternatively, we can keep using the BSD-2-Clause tag if it was
> determined that is correct for some reason?

It really looks like this is BSD-2 to me, if not, please specify the
exact license in the SPDX line.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jason Gunthorpe March 10, 2018, 10:01 p.m. UTC | #2

On Sat, Mar 10, 2018 at 12:06:36PM -0800, Greg Kroah-Hartman wrote:
> On Thu, Mar 08, 2018 at 10:55:28AM -0700, Jason Gunthorpe wrote:
> > Hi Greg & Co,
> > 
> > A question has come up in the infiniband/rdma space about what SPDX
> > license headers to use for some of our files.
> 
> Which is a huge hint you should probably make it a lot simpler :)

This license text was written in around 2005 and has been copied into
around 659 files in the kernel. It looks like there are > 15 companies
listed as copyright holders, some now defunct.

Doug and I are just maintaining a subsystem where this license is
particularly popular and we'd like to ensure we are following the SPDX
rules correctly considering we have inherited this odd license text.

I'm not sure what power you think Doug and I have to "make it a lot
simpler"? Is there something we can do so long after the fact?

> > The license in this file does not have the same 'disclaimer' text as
> > the reference BSD-2-Clause, which sounds like it shouldn't match based
> > on guideline 2.1.1 ?
> 
> Then please tell me what exact license that file is trying to express,
> as it really looks like BSD-2-Clause to me.  What were you intending to
> state here, something other than BSD-2?  It better have not been a
> "custom" one :)

I'm pretty confident the intent was to use a "GPLv2 and BSD dual
license" scheme. Beyond that, I don't know what motivated selecting
the warranty clause from the MIT license. It was so long ago nobody
seems to know anymore.

I don't want to embark on some relicensing quest 12 years after the
fact just to use SPDX.. I thought the point of SPDX was to document
the current licensing situation accurately?

> > Alternatively, we can keep using the BSD-2-Clause tag if it was
> > determined that is correct for some reason?
> 
> It really looks like this is BSD-2 to me, if not, please specify the
> exact license in the SPDX line.

Well, this is why I am writing to you. To ask if BSD-2-Clause is the
right tag for the license example in include/uapi/rdma/ib_user_sa.h
(which is copied into around 659 kernel files)

If you ignore the preamble and start at "Redistribution" then:

 The first 50% of the license text matches the sample license of SPDX
 BSD-2-Clause, up until "THE SOFTWARE IS PROVIDED".

 The final paragraph matches the sample license of the SPDX for MIT.

I've grepped through the SPDX database and no SPDX tag includes this
combination of 2 clauses and warranty text together.

My reading of the matching rules is that this is a 'no match' to
BSD-2-Clause.

If you say it is BSD-2-Clause then we will keep using that and move
on.

If you agree it doesn't match then I will request a new tag and use
that instead.

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Greg KH March 11, 2018, 1:16 a.m. UTC | #3

On Sat, Mar 10, 2018 at 03:01:53PM -0700, Jason Gunthorpe wrote:
> On Sat, Mar 10, 2018 at 12:06:36PM -0800, Greg Kroah-Hartman wrote:
> > On Thu, Mar 08, 2018 at 10:55:28AM -0700, Jason Gunthorpe wrote:
> > > Hi Greg & Co,
> > > 
> > > A question has come up in the infiniband/rdma space about what SPDX
> > > license headers to use for some of our files.
> > 
> > Which is a huge hint you should probably make it a lot simpler :)
> 
> This license text was written in around 2005 and has been copied into
> around 659 files in the kernel. It looks like there are > 15 companies
> listed as copyright holders, some now defunct.

Any hint as to who wrote it in the very first place?  And why was it
copied everywhere?  What drove that decision?

> Doug and I are just maintaining a subsystem where this license is
> particularly popular and we'd like to ensure we are following the SPDX
> rules correctly considering we have inherited this odd license text.
> 
> I'm not sure what power you think Doug and I have to "make it a lot
> simpler"? Is there something we can do so long after the fact?

Sorry, I thought this was a unique one-off for just this specific
driver.

> > > The license in this file does not have the same 'disclaimer' text as
> > > the reference BSD-2-Clause, which sounds like it shouldn't match based
> > > on guideline 2.1.1 ?
> > 
> > Then please tell me what exact license that file is trying to express,
> > as it really looks like BSD-2-Clause to me.  What were you intending to
> > state here, something other than BSD-2?  It better have not been a
> > "custom" one :)
> 
> I'm pretty confident the intent was to use a "GPLv2 and BSD dual
> license" scheme. Beyond that, I don't know what motivated selecting
> the warranty clause from the MIT license. It was so long ago nobody
> seems to know anymore.
> 
> I don't want to embark on some relicensing quest 12 years after the
> fact just to use SPDX.. I thought the point of SPDX was to document
> the current licensing situation accurately?

Yes it is, but if you think you have a "brand new" license here, that's
different and everyone needs to be aware of it.  Including your lawyers,
what do they think about this?

> > > Alternatively, we can keep using the BSD-2-Clause tag if it was
> > > determined that is correct for some reason?
> > 
> > It really looks like this is BSD-2 to me, if not, please specify the
> > exact license in the SPDX line.
> 
> Well, this is why I am writing to you. To ask if BSD-2-Clause is the
> right tag for the license example in include/uapi/rdma/ib_user_sa.h
> (which is copied into around 659 kernel files)

I'm not a lawyer, so I can't provide legal intrepretation for a license,
sorry.

> If you ignore the preamble and start at "Redistribution" then:
> 
>  The first 50% of the license text matches the sample license of SPDX
>  BSD-2-Clause, up until "THE SOFTWARE IS PROVIDED".
> 
>  The final paragraph matches the sample license of the SPDX for MIT.
> 
> I've grepped through the SPDX database and no SPDX tag includes this
> combination of 2 clauses and warranty text together.
> 
> My reading of the matching rules is that this is a 'no match' to
> BSD-2-Clause.
> 
> If you say it is BSD-2-Clause then we will keep using that and move
> on.
> 
> If you agree it doesn't match then I will request a new tag and use
> that instead.

I think maybe Kate and Phillipe need to chime in here with what they
think to do, as they are the ones that have examined the thousands of
different variants of license floating in the kernel tree.

If the intent is for this to really be bsd-2, then yes, we should be
able to just mark it as such, delete the confusing license text, and be
done with it.  But to be sure, I strongly suggest you go ask your
corporate lawyers if they are ok with it, as they are the ones that need
to also agree with this.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jason Gunthorpe March 11, 2018, 3:15 a.m. UTC | #4

On Sat, Mar 10, 2018 at 05:16:04PM -0800, Greg Kroah-Hartman wrote:
> On Sat, Mar 10, 2018 at 03:01:53PM -0700, Jason Gunthorpe wrote:
> > On Sat, Mar 10, 2018 at 12:06:36PM -0800, Greg Kroah-Hartman wrote:
> > > On Thu, Mar 08, 2018 at 10:55:28AM -0700, Jason Gunthorpe wrote:
> > > > Hi Greg & Co,
> > > > 
> > > > A question has come up in the infiniband/rdma space about what SPDX
> > > > license headers to use for some of our files.
> > > 
> > > Which is a huge hint you should probably make it a lot simpler :)
> > 
> > This license text was written in around 2005 and has been copied into
> > around 659 files in the kernel. It looks like there are > 15 companies
> > listed as copyright holders, some now defunct.
> 
> Any hint as to who wrote it in the very first place?  And why was it
> copied everywhere?  What drove that decision?

Around 2005 an industry association called "OpenIB" was founded to
consolidate and upstream into Linux what is today drivers/infiniband.

That group of companies mutually agreed to use a "dual GPL and BSD
license" scheme and the membership agreement obligated the member
companies to use such a license. I don't know if OpenIB ever
officially published an actual license text or not, anything from that
era seems gone.

As I understand it: At that point in history many of the member
companies were new to this Open Source thing and had propriety systems
they wanted to incorporate this software into. (eg Solaris, AIX,
FreeBSD, etc have all benefited from this work) So this very
permissive BSD license option was selected to give them the most
rights to the code they contributed.

Somehow when drivers/infiniband was first merged it contained this
license text. I don't know where Roland Drier got the text from.

From there all the member companies copy and pasted that text, and it
become the cannonical text.

After that it appeared to spread into other parts of the kernel, eg
crypto, scsi, net, etc all now have files that use it. I can't imagine
this was any sort of well thought out act, probably just the same
developers 'cargo cult' copying what they had always done.

If that wasn't confusing enough, some of the userspace side of the
subsystem uses a different variant of the OpenIB.org BSD license that
includes the FreeBSD warranty, not the MIT warranty. I have no idea why
that is, or where that came from either, I only know about it because
I audited the licenses of the userspace side and noticed this
difference.

> > I don't want to embark on some relicensing quest 12 years after the
> > fact just to use SPDX.. I thought the point of SPDX was to document
> > the current licensing situation accurately?
> 
> Yes it is, but if you think you have a "brand new" license here, that's
> different and everyone needs to be aware of it.

I would call it a variation than brand new, but yes. It appears to be
yet another BSD 2 clause license what slightly different wording. SPDX
has a few of these things already.

> Including your lawyers, what do they think about this?

I haven't asked Mellanox Lawyers. I had thought the SPDX tag to use
should be a mechanical question, not a legal question.

I doubt Mellanox lawyers are familiar with SPDX.

> > > It really looks like this is BSD-2 to me, if not, please specify the
> > > exact license in the SPDX line.
> > 
> > Well, this is why I am writing to you. To ask if BSD-2-Clause is the
> > right tag for the license example in include/uapi/rdma/ib_user_sa.h
> > (which is copied into around 659 kernel files)
> 
> I'm not a lawyer, so I can't provide legal intrepretation for a license,
> sorry.

Nor am I.

It was your patch that put the tag on in the first place, so I was
hoping you or those CC'd would have some advice, perhaps the different
text was already noticed and deemed not relevant, for instance.

> > If you ignore the preamble and start at "Redistribution" then:
> > 
> >  The first 50% of the license text matches the sample license of SPDX
> >  BSD-2-Clause, up until "THE SOFTWARE IS PROVIDED".
> > 
> >  The final paragraph matches the sample license of the SPDX for MIT.
> > 
> > I've grepped through the SPDX database and no SPDX tag includes this
> > combination of 2 clauses and warranty text together.
> > 
> > My reading of the matching rules is that this is a 'no match' to
> > BSD-2-Clause.
> > 
> > If you say it is BSD-2-Clause then we will keep using that and move
> > on.
> > 
> > If you agree it doesn't match then I will request a new tag and use
> > that instead.
> 
> I think maybe Kate and Phillipe need to chime in here with what they
> think to do, as they are the ones that have examined the thousands of
> different variants of license floating in the kernel tree.

That would be great.

> If the intent is for this to really be bsd-2, then yes, we should be
> able to just mark it as such, delete the confusing license text, and be
> done with it.  But to be sure, I strongly suggest you go ask your
> corporate lawyers if they are ok with it, as they are the ones that need
> to also agree with this.

Well, even if Mellanox lawyers agree to that scheme, OpenIB had
something like 15-20 member companies (some now defunct) contributing
code and owning copyrights in the kernel with this license.

I know blanket changes to licenses can be legally tricky so I wouldn't
want to embark on that as a subsystem co-maintainer without support
beyond my corporate legal..

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Philippe Ombredanne March 12, 2018, 9:06 p.m. UTC | #5

Hi Jason,

On Sat, Mar 10, 2018 at 7:15 PM, Jason Gunthorpe <jgg@mellanox.com> wrote:
> On Sat, Mar 10, 2018 at 05:16:04PM -0800, Greg Kroah-Hartman wrote:
>> On Sat, Mar 10, 2018 at 03:01:53PM -0700, Jason Gunthorpe wrote:
>> > On Sat, Mar 10, 2018 at 12:06:36PM -0800, Greg Kroah-Hartman wrote:
>> > > On Thu, Mar 08, 2018 at 10:55:28AM -0700, Jason Gunthorpe wrote:
>> > > > Hi Greg & Co,
>> > > >
>> > > > A question has come up in the infiniband/rdma space about what SPDX
>> > > > license headers to use for some of our files.
>> > >
>> > > Which is a huge hint you should probably make it a lot simpler :)
>> >
>> > This license text was written in around 2005 and has been copied into
>> > around 659 files in the kernel. It looks like there are > 15 companies
>> > listed as copyright holders, some now defunct.
>>
>> Any hint as to who wrote it in the very first place?  And why was it
>> copied everywhere?  What drove that decision?
>
> Around 2005 an industry association called "OpenIB" was founded to
> consolidate and upstream into Linux what is today drivers/infiniband.
>
> That group of companies mutually agreed to use a "dual GPL and BSD
> license" scheme and the membership agreement obligated the member
> companies to use such a license. I don't know if OpenIB ever
> officially published an actual license text or not, anything from that
> era seems gone.
>
> As I understand it: At that point in history many of the member
> companies were new to this Open Source thing and had propriety systems
> they wanted to incorporate this software into. (eg Solaris, AIX,
> FreeBSD, etc have all benefited from this work) So this very
> permissive BSD license option was selected to give them the most
> rights to the code they contributed.
>
> Somehow when drivers/infiniband was first merged it contained this
> license text. I don't know where Roland Drier got the text from.
>
> From there all the member companies copy and pasted that text, and it
> become the cannonical text.
>
> After that it appeared to spread into other parts of the kernel, eg
> crypto, scsi, net, etc all now have files that use it. I can't imagine
> this was any sort of well thought out act, probably just the same
> developers 'cargo cult' copying what they had always done.
>
> If that wasn't confusing enough, some of the userspace side of the
> subsystem uses a different variant of the OpenIB.org BSD license that
> includes the FreeBSD warranty, not the MIT warranty. I have no idea why
> that is, or where that came from either, I only know about it because
> I audited the licenses of the userspace side and noticed this
> difference.

Let me recheck in details drivers/infiniband

Jason Gunthorpe March 12, 2018, 9:31 p.m. UTC | #6

On Mon, Mar 12, 2018 at 04:15:08PM -0500, Kate Stewart wrote:
>    Hi Jason,

>    I've discussed it with my legal contacts, and it does sound like
>    the best path forward at this time is to come up with a new SPDX
>    id for this variant, given its pervasive nature.  I'll put a
>    request in to the SPDX legal group for a new identifier, and we
>    can shift the conversation over to there for now.

Okay. Thank you. Doug and I will wait to hear back from you before
allowing any more SPDX tags for this license text in the subsystem.

Please let me know if any more information is required, I may be able
to dig up more information if required to do so.

>    It will probably take a month or so to work through their meetings,
>    but that is going to be less problematic than the other option
>    for cleaning this up.  Thanks for the detailed background, it
>    helped.  Kate

When requesting a tag can some text be added to the notes in the SPDX
database alerting the reader to check the license carefully as there
are many things claiming to be this license?

For instance in the kernel these four files:

 arch/arm/crypto/crct10dif-ce-core.S
 arch/arm64/crypto/crct10dif-ce-core.S
 arch/x86/crypto/aesni-intel_avx-x86_64.S
 arch/x86/crypto/crct10dif-pcl-asm_64.S

Claim to be the OpenIB.org BSD license, but Intel has modified it in a
way I've never seen before.

And in user space we see this version claiming to be the "OpenIB.org
BSD license"

  https://github.com/linux-rdma/rdma-core/blob/master/COPYING.BSD_FB

That one already matches the SPDX BSD-2-CLAUSE though.

Given this, I expect there are others too.

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Philippe Ombredanne March 14, 2018, 5:58 p.m. UTC | #7

Jason,

On Mon, Mar 12, 2018 at 2:31 PM, Jason Gunthorpe <jgg@mellanox.com> wrote:
> On Mon, Mar 12, 2018 at 04:15:08PM -0500, Kate Stewart wrote:
>>    Hi Jason,
>
>>    I've discussed it with my legal contacts, and it does sound like
>>    the best path forward at this time is to come up with a new SPDX
>>    id for this variant, given its pervasive nature.  I'll put a
>>    request in to the SPDX legal group for a new identifier, and we
>>    can shift the conversation over to there for now.
>
> Okay. Thank you. Doug and I will wait to hear back from you before
> allowing any more SPDX tags for this license text in the subsystem.
>
> Please let me know if any more information is required, I may be able
> to dig up more information if required to do so.
>
>>    It will probably take a month or so to work through their meetings,
>>    but that is going to be less problematic than the other option
>>    for cleaning this up.  Thanks for the detailed background, it
>>    helped.  Kate
>
> When requesting a tag can some text be added to the notes in the SPDX
> database alerting the reader to check the license carefully as there
> are many things claiming to be this license?
>
> For instance in the kernel these four files:
>
>  arch/arm/crypto/crct10dif-ce-core.S
>  arch/arm64/crypto/crct10dif-ce-core.S
>  arch/x86/crypto/aesni-intel_avx-x86_64.S
>  arch/x86/crypto/crct10dif-pcl-asm_64.S
>
> Claim to be the OpenIB.org BSD license, but Intel has modified it in a
> way I've never seen before.
>
> And in user space we see this version claiming to be the "OpenIB.org
> BSD license"
>
>   https://github.com/linux-rdma/rdma-core/blob/master/COPYING.BSD_FB
>
> That one already matches the SPDX BSD-2-CLAUSE though.
>
> Given this, I expect there are others too.

First I want to apologize because this is a major #FAIL on my side and
to make me feel less guilty that's also a fail on the part of the
other licenses scanners we used: these were also treated by Fossology
and the WR scanner as BSD-Clause FWIW, but that's a weak excuse!

I very clearly recall stumbling on these variants of the "simplified"
BSD last year. And I ended up treating them as regular BSD-2-Clause
ignoring the variations in the warranty disclaimers.

This was based on reports of quirks by Thomas and team ... and I
pushed the commits to treat these as plain BSD-2-Clause some 11 months
and a few scores ago in two commits [1] [2]  to scancode-toolkit. I should
have known better as Thomas's reports always are laser focused.

Here is what I am doing to clear up this mini mess (and will report
here by tomorrow):

1. I collected all the kernel files that have this OpenIB licenses in 4.16rc4
grep -r linux-4.16-rc4 -e "OpenIB.org" -l

2. I am also adding the openfabric code from master [3] and that from rdma [4]

I am scanning, diffing and reviewing all these in details to properly
identify all the variants of these puppies.

Then I will:

1. update scancode so that these variants are detected correctly and
not mixed up with a BSD-2-Clause

2. work with Kate and SPDX so we can get these a new SPDX id. I/we
will push to fasttrack this.

Then we can work out proper kernel patches.

[1] https://github.com/nexB/scancode-toolkit/commit/83cebdf2dc00c0f211c84d27047a1c8b937f508e
[2] https://github.com/nexB/scancode-toolkit/commit/a88bc8d8b598b2378d0729b5e568e4d73ab89e52
[3] https://github.com/ofiwg/libfabric
[4] https://github.com/linux-rdma/rdma-core/

Jason Gunthorpe March 14, 2018, 7:24 p.m. UTC | #8

On Wed, Mar 14, 2018 at 10:58:59AM -0700, Philippe Ombredanne wrote:

> Then I will:
> 
> 1. update scancode so that these variants are detected correctly and
> not mixed up with a BSD-2-Clause
> 
> 2. work with Kate and SPDX so we can get these a new SPDX id. I/we
> will push to fasttrack this.
> 
> Then we can work out proper kernel patches.

Okay thank you, we will wait for these outcomes!

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Jason Gunthorpe March 22, 2018, 6:31 p.m. UTC | #9

On Thu, Mar 22, 2018 at 01:05:15PM -0500, Kate Stewart wrote:
>    On Wed, Mar 14, 2018 at 2:24 PM, Jason Gunthorpe <[1]jgg@mellanox.com>
>    wrote:
> 
>      On Wed, Mar 14, 2018 at 10:58:59AM -0700, Philippe Ombredanne wrote:
>      > Then I will:
>      >
>      > 1. update scancode so that these variants are detected correctly
>      and
>      > not mixed up with a BSD-2-Clause
>      >
>      > 2. work with Kate and SPDX so we can get these a new SPDX id. I/we
>      > will push to fasttrack this.
>      >
>      > Then we can work out proper kernel patches.
>      Okay thank you, we will wait for these outcomes!
> 
>    With the help of Steve Winslow,  the case for including it as a
>    separate identifier was
>    prep'd up and a pull request created (ie. we made it as easy possible)
>    Legal team reviewed it today and accepted it.  :-)
>    More info in: https://github.com/spdx/license-list-XML/issues/620
>    and https://github.com/spdx/license-list-XML/pull/621
>    Identifier will be "Linux-OpenIB" when 3.1 is released.

Okay, thank you!

Is this set in stone now, should I send a patch to update the SPDX's
soon or wait some more?

Thanks,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Commit Message

Comments

Patch