From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id ACB1FD81092 for ; Fri, 3 Nov 2023 15:19:11 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=L4xtA9+/UD11xi+VQ4DoVI4dwpB9ylXITkD9LlvfwEo=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:Message-ID:Date:MIME-Version:User-Agent:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699024750; v=1; b=Q6LY65+Y0Nj+jFnRi7g0CS5N9PZ6QFIpXYoMfD+8OzPEn/hz10qayoHjDYntiFzPQEf9DrSP gbIljZVDDZkWv0TEefDQ2LiQj+R170pXCiLR6DMuuWi0zvrFC0FJsCBEp9EmD66jMX2S5Fn3WIc bMHvnsCWL/l8FnqwEz/ufpyc= X-Received: by 127.0.0.2 with SMTP id CCq5YY7687511xl7szqk3nML; Fri, 03 Nov 2023 08:19:10 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.56089.1699024749806587152 for ; Fri, 03 Nov 2023 08:19:09 -0700 X-Received: from [192.168.4.22] (unknown [47.201.241.95]) by linux.microsoft.com (Postfix) with ESMTPSA id D224220B74C0; Fri, 3 Nov 2023 08:19:08 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com D224220B74C0 Message-ID: <1a73433a-ba01-4320-b7dd-fa05f0b58c3e@linux.microsoft.com> Date: Fri, 3 Nov 2023 11:19:07 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses To: Laszlo Ersek , devel@edk2.groups.io Cc: Andrew Fish , Leif Lindholm , Michael D Kinney References: <20231102200313.1010-1-mikuback@linux.microsoft.com> <20231102200313.1010-9-mikuback@linux.microsoft.com> From: "Michael Kubacki" In-Reply-To: Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Vr1oY2TV1ORLV45IfvQ3bgPgx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Q6LY65+Y; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none) On 11/3/2023 10:46 AM, Laszlo Ersek wrote: > On 11/3/23 15:16, Michael Kubacki wrote: >> On 11/3/2023 9:06 AM, Laszlo Ersek wrote: >>> On 11/2/23 21:03, Michael Kubacki wrote: >>>> From: Michael Kubacki >>>> >>>> The code in this directory is licensed under Apache License, Version >>>> 2.0. Therefore, the directory is listed under paths with licenses >>>> other than BSD-2-Clause Plus Patent. The directory link points to the >>>> complete Apache License, Version 2.0 on apache.org. >>>> >>>> Cc: Andrew Fish >>>> Cc: Laszlo Ersek >>>> Cc: Leif Lindholm >>>> Cc: Michael D Kinney >>>> Signed-off-by: Michael Kubacki >>>> --- >>>> =C2=A0 ReadMe.rst | 1 + >>>> =C2=A0 1 file changed, 1 insertion(+) >>>> >>>> diff --git a/ReadMe.rst b/ReadMe.rst >>>> index 06fb122ef382..808ccd37af50 100644 >>>> --- a/ReadMe.rst >>>> +++ b/ReadMe.rst >>>> @@ -73,6 +73,7 @@ The majority of the content in the EDK II open >>>> source project uses a >>>> =C2=A0 source project contains the following components that are cove= red >>>> by additional >>>> =C2=A0 licenses: >>>> =C2=A0 +-=C2=A0 `BaseTools/Plugin/CodeQL/analyze >>>> `__ >>>> =C2=A0 -=C2=A0 `BaseTools/Source/C/LzmaCompress >>>> `__ >>>> =C2=A0 -=C2=A0 `BaseTools/Source/C/VfrCompile/Pccts >>>> `__ >>>> =C2=A0 -=C2=A0 `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c >>>> `__ >>> >>> I've carefully read through the cover letter now (impressive work!). I >>> have some questions, with reference to Leif's comment at >>> as well: >>> >>> - Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to >>> contain a standalone "COPYING" or similar file? >>> >>> If not, then the current patch seems fine: >>> >>> Reviewed-by: Laszlo Ersek >>> >> I wasn't aware of anything further needed for the Apache License 2.0. >> I'm familiar with COPYING in the context of GNU licensing >> (https://www.gnu.org/licenses/gpl-howto.html). I don't see it applying >> directly to the Apache licensing process as I understand it. >=20 > Apologies, I was unclear. >=20 > My point was only that, if the copyright notices were included inside the= local subdir, then we should point this reference too to that local file. = And, I thought that any project would include such a separate file (which w= e'd now inherit). >=20 > Given that that is not the case, just apply my R-b. :) >=20 >> >>> - I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/ >>> contents (three files) originate from. If it was authored by Microsoft, >>> then I don't understand (per v4 series changelog in the cover letter) >>> why the Microsoft copyright notice had to be removed. And if it is not >>> original work by Microsoft, but work derived by Microsoft from other >>> original work, then it should contain both the original copyright >>> notices, and Microsofts. >>> >> Because these are only a couple files, I tried to follow the guidance in >> "To apply the Apache License to specific files in your work..." in "How >> To Apply the Apache License to Your Work" in >> https://www.apache.org/licenses/LICENSE-2.0. >> >> For those files I: >> >> 1. Made the upper text clearly state Apache License Version 2.0 with a >> link to apache.org/licenses. >> >> 2. Included the boilerplate text as given in the above link for >> "licensing specific files in your work". >> >> 3. Preserved any existing copyrights. >> >> =C2=A0=C2=A0 - globber.py had a pre-existing copyright preserved >=20 > Ah, indeed! Sorry, I totally missed that. Mea culpa! >=20 >> =C2=A0=C2=A0 - analyze_filter.py did not have one in the source Python = file or >> =C2=A0=C2=A0=C2=A0=C2=A0 its LICENSE file >=20 > OK! >=20 >=20 > Finally, I'm just noticing that "BaseTools/Plugin/CodeQL/analyze/__init__= .py" is actually an empty file. This looks like a python trick: >=20 > https://old.reddit.com/r/learnpython/comments/fuxv57/can_init_py_actua= lly_be_empty/ > https://stackoverflow.com/questions/448271/what-is-init-py-for >=20 > So I now understand this empty __init__.py is not derived from -- it is a genuine addition under= edk2, right? >=20 > But, because it is zero size (intentionally), adding a Microsoft copyrigh= t notice to it was deemed overkill. Is that correct? >=20 > We have a bunch of other, similarly empty __init__.py files: >=20 > BaseTools/Plugin/DebugMacroCheck/tests/__init__.py > BaseTools/Source/C/BrotliCompress/brotli/python/tests/__init__.py > BaseTools/Source/Python/Ecc/CParser3/__init__.py > BaseTools/Source/Python/Ecc/CParser4/__init__.py > BaseTools/Source/Python/Eot/CParser3/__init__.py > BaseTools/Source/Python/Eot/CParser4/__init__.py > MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/python/tests/__i= nit__.py >=20 That's correct and my reasoning. If a copyright notice must be added,=20 I'm happy to do so. >> >> 4. Appended text stating the source of the files and a brief summary of >> the changes in this copy relative to the original. >> >>> The file-top comments in those three files reference >>> >>> =C2=A0=C2=A0 https://github.com/advanced-security/filter-sarif >>> >>> as the origin. Do the original files in that repository contain >>> copyright notices? (Or does their containing project come with a COPYIN= G >>> or similar file?) I'm not looking for a license specification (SPDX or >>> natural language), but specifically for copyright notices on the >>> original work. >>> >> All copyright notices from original files are preserved. >=20 > Indeed -- I'm sorry for missing that previously. >=20 >> >> https://github.com/advanced-security itself actually includes a local >> copy of globber.py >> https://github.com/advanced-security/filter-sarif/blob/main/globber.py. >> >> I dropped the Microsoft copyright in those specific files because my >> contributions the those files were not significant. If there are other >> factors to consider, please let me know and I will reconsider. >=20 > I think the only other factor here may be that you are creating the file = in the edk2 tree. >=20 > Whenever I create a new file in edk2 (for example by copying an existent = library instance, and customizing the code in the new instance, however min= imally), I add a Red Hat copyright notice. >=20 > But I don't insist at all, I was just curious of the reasoning! >=20 I defaulted to that initially. But after we dived deeper into licensing=20 and reevaluating the changes, I concluded to remove based on the=20 triviality of those particular changes to the source file. >>> Does the organization perhaps us= e >>> an over-arching copyright notice somewhere? >>> >> I couldn't find anything. >=20 > Thanks a lot for checking! >=20 > I don't object to any of the v4 patches getting merged as posted. >=20 > Cheers, > Laszlo -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110635): https://edk2.groups.io/g/devel/message/110635 Mute This Topic: https://groups.io/mt/102350800/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-