[edk2-devel] CodeQL and Apache Licensed Files

[edk2-devel] CodeQL and Apache Licensed Files

[Michael Kubacki]

I'd like to bring attention to Apache License 2.0 code in the CodeQL 
series I sent to the mailing list for steward review.

In particular, the files in the BaseTools/Plugin/CodeQL/analyze 
directory of this patch:

https://edk2.groups.io/g/devel/message/109696

Please let me know if any next steps are needed.

Thanks,
Michael


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110226): https://edk2.groups.io/g/devel/message/110226
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Laszlo Ersek]

On 10/27/23 23:11, Michael Kubacki wrote:
> I'd like to bring attention to Apache License 2.0 code in the CodeQL
> series I sent to the mailing list for steward review.
> 
> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> directory of this patch:
> 
> https://edk2.groups.io/g/devel/message/109696
> 
> Please let me know if any next steps are needed.

(1) I don't know if edk2 accepts contributions under Apache License 2.0;
just want to point out that this license is acceptable in Fedora (and so
RHEL too), per
<https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>. Assuming
we're talking about "Apache Software License 2.0".

(2) Should we extend "License Details" and "Code Contributions" in
"ReadMe.rst"?

(3) Should the new files (under Apache License 2.0) use an SPDX
identifier tag, for easy greppability?

(4) With the addition, downstream packages (such as RPMs in Fedora and
RHEL) might want to spell out the short SPDX identifier of the new
license too in their License: tags.

Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110243): https://edk2.groups.io/g/devel/message/110243
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael Kubacki]

On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
> On 10/27/23 23:11, Michael Kubacki wrote:
>> I'd like to bring attention to Apache License 2.0 code in the CodeQL
>> series I sent to the mailing list for steward review.
>>
>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
>> directory of this patch:
>>
>> https://edk2.groups.io/g/devel/message/109696
>>
>> Please let me know if any next steps are needed.
> 
> (1) I don't know if edk2 accepts contributions under Apache License 2.0;
> just want to point out that this license is acceptable in Fedora (and so
> RHEL too), per
> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>. Assuming
> we're talking about "Apache Software License 2.0".
> 
A few submodules are using the Apache License 2.0.

For example, OpenSSL v3:

- https://www.openssl.org/source/license.html
- https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=HEAD

And cmoocka:

- https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING

I'm unaware if there was precedent specific to submodules, but I'd 
expect terms like redistribution clauses to already apply regardless of 
tooling used to acquire the source code into the project.

> (2) Should we extend "License Details" and "Code Contributions" in
> "ReadMe.rst"?
> 
My initial thought was to add the path (BaseTools\Plugin\CodeQL\analyze) 
to "License Details".

Was that all that you had in mind or to elaborate further in that 
section on the licenses used/allowed?

> (3) Should the new files (under Apache License 2.0) use an SPDX
> identifier tag, for easy greppability?
> 
I'd be happy to add that.

> (4) With the addition, downstream packages (such as RPMs in Fedora and
> RHEL) might want to spell out the short SPDX identifier of the new
> license too in their License: tags.
> 
> Laszlo
> 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110433): https://edk2.groups.io/g/devel/message/110433
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Laszlo Ersek]

On 10/31/23 17:07, Michael Kubacki wrote:
> On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
>> On 10/27/23 23:11, Michael Kubacki wrote:
>>> I'd like to bring attention to Apache License 2.0 code in the CodeQL
>>> series I sent to the mailing list for steward review.
>>>
>>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
>>> directory of this patch:
>>>
>>> https://edk2.groups.io/g/devel/message/109696
>>>
>>> Please let me know if any next steps are needed.
>>
>> (1) I don't know if edk2 accepts contributions under Apache License 2.0;
>> just want to point out that this license is acceptable in Fedora (and so
>> RHEL too), per
>> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>. Assuming
>> we're talking about "Apache Software License 2.0".
>>
> A few submodules are using the Apache License 2.0.
> 
> For example, OpenSSL v3:
> 
> - https://www.openssl.org/source/license.html
> - https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=HEAD
> 
> And cmoocka:
> 
> - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING

Thanks for identifying those!

> 
> I'm unaware if there was precedent specific to submodules, but I'd
> expect terms like redistribution clauses to already apply regardless of
> tooling used to acquire the source code into the project.

I believe the same.

> 
>> (2) Should we extend "License Details" and "Code Contributions" in
>> "ReadMe.rst"?
>>
> My initial thought was to add the path (BaseTools\Plugin\CodeQL\analyze)
> to "License Details".
> 
> Was that all that you had in mind or to elaborate further in that
> section on the licenses used/allowed?

- Under "License Details", simply list BaseTools/Plugin/CodeQL/analyze
as one of the "components" (i.e., first list) that use a "additional
licenses".

- Under "Code Contributions", we should list "Apache Software License
2.0" as acceptable -- both for this new feature, and for the *already*
upstream stuff that you found above.

> 
>> (3) Should the new files (under Apache License 2.0) use an SPDX
>> identifier tag, for easy greppability?
>>
> I'd be happy to add that.

That's a relief, I didn't know whether you could touch up the license
blocks!

Thanks!
Laszlo

> 
>> (4) With the addition, downstream packages (such as RPMs in Fedora and
>> RHEL) might want to spell out the short SPDX identifier of the new
>> license too in their License: tags.
>>
>> Laszlo
>>
>>
>>
>> 
>>
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110437): https://edk2.groups.io/g/devel/message/110437
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael D Kinney]

Michael,

I noticed some of the files had Apache 2.0 license and then
you added content under BSD-2-Clause-Patent.  Why wouldn't 
you continue with the original Apache 2.0 license?

Also, I am not sure if you can replace the license text with
the SPDX identifier if the original file had the text.  I know
TianoCore did a license change, but we had to get approval from
all contributors.

Thanks,

Mike

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Tuesday, October 31, 2023 10:22 AM
> To: Michael Kubacki <mikuback@linux.microsoft.com>;
> devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>;
> 'Leif Lindholm' <quic_llindhol@quicinc.com>; 'Andrew Fish'
> <afish@apple.com>
> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> 
> On 10/31/23 17:07, Michael Kubacki wrote:
> > On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
> >> On 10/27/23 23:11, Michael Kubacki wrote:
> >>> I'd like to bring attention to Apache License 2.0 code in the
> CodeQL
> >>> series I sent to the mailing list for steward review.
> >>>
> >>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> >>> directory of this patch:
> >>>
> >>> https://edk2.groups.io/g/devel/message/109696
> >>>
> >>> Please let me know if any next steps are needed.
> >>
> >> (1) I don't know if edk2 accepts contributions under Apache License
> 2.0;
> >> just want to point out that this license is acceptable in Fedora
> (and so
> >> RHEL too), per
> >> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
> Assuming
> >> we're talking about "Apache Software License 2.0".
> >>
> > A few submodules are using the Apache License 2.0.
> >
> > For example, OpenSSL v3:
> >
> > - https://www.openssl.org/source/license.html
> > -
> https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=H
> EAD
> >
> > And cmoocka:
> >
> > - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
> 
> Thanks for identifying those!
> 
> >
> > I'm unaware if there was precedent specific to submodules, but I'd
> > expect terms like redistribution clauses to already apply regardless
> of
> > tooling used to acquire the source code into the project.
> 
> I believe the same.
> 
> >
> >> (2) Should we extend "License Details" and "Code Contributions" in
> >> "ReadMe.rst"?
> >>
> > My initial thought was to add the path
> (BaseTools\Plugin\CodeQL\analyze)
> > to "License Details".
> >
> > Was that all that you had in mind or to elaborate further in that
> > section on the licenses used/allowed?
> 
> - Under "License Details", simply list BaseTools/Plugin/CodeQL/analyze
> as one of the "components" (i.e., first list) that use a "additional
> licenses".
> 
> - Under "Code Contributions", we should list "Apache Software License
> 2.0" as acceptable -- both for this new feature, and for the *already*
> upstream stuff that you found above.
> 
> >
> >> (3) Should the new files (under Apache License 2.0) use an SPDX
> >> identifier tag, for easy greppability?
> >>
> > I'd be happy to add that.
> 
> That's a relief, I didn't know whether you could touch up the license
> blocks!
> 
> Thanks!
> Laszlo
> 
> >
> >> (4) With the addition, downstream packages (such as RPMs in Fedora
> and
> >> RHEL) might want to spell out the short SPDX identifier of the new
> >> license too in their License: tags.
> >>
> >> Laszlo
> >>
> >>
> >>
> >> 
> >>
> >



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110441): https://edk2.groups.io/g/devel/message/110441
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Pedro Falcato]

On Sat, Oct 28, 2023 at 12:51 PM Laszlo Ersek <lersek@redhat.com> wrote:
>
> On 10/27/23 23:11, Michael Kubacki wrote:
> > I'd like to bring attention to Apache License 2.0 code in the CodeQL
> > series I sent to the mailing list for steward review.
> >
> > In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> > directory of this patch:
> >
> > https://edk2.groups.io/g/devel/message/109696
> >
> > Please let me know if any next steps are needed.
>
> (1) I don't know if edk2 accepts contributions under Apache License 2.0;
> just want to point out that this license is acceptable in Fedora (and so
> RHEL too), per
> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>. Assuming
> we're talking about "Apache Software License 2.0".
>
> (2) Should we extend "License Details" and "Code Contributions" in
> "ReadMe.rst"?
>
> (3) Should the new files (under Apache License 2.0) use an SPDX
> identifier tag, for easy greppability?

I would welcome replacing *all* copyright notices with SPDX tags.
Would also end the "Copyright (c) Corp Corporation" churn that
regularly happens in EDK2!

-- 
Pedro


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110443): https://edk2.groups.io/g/devel/message/110443
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael Kubacki]

On 10/31/2023 3:19 PM, Kinney, Michael D wrote:
> Michael,
> 
> I noticed some of the files had Apache 2.0 license and then
> you added content under BSD-2-Clause-Patent.  Why wouldn't
> you continue with the original Apache 2.0 license?
> 
I will continue with the original license.

> Also, I am not sure if you can replace the license text with
> the SPDX identifier if the original file had the text.  I know
> TianoCore did a license change, but we had to get approval from
> all contributors.
> 
I interpreted the earlier question (3) to mean appending an SPDX 
identifier to the existing header.

I still think there's some value in that for machine readability and 
consistency with the ID being present in most other source files in the 
repo. Do we care to have that?

Note: "Copyright notices" in 
https://spdx.dev/learn/handling-license-info/ instructs not remove or 
modify existing notices.

> Thanks,
> 
> Mike
> 
>> -----Original Message-----
>> From: Laszlo Ersek <lersek@redhat.com>
>> Sent: Tuesday, October 31, 2023 10:22 AM
>> To: Michael Kubacki <mikuback@linux.microsoft.com>;
>> devel@edk2.groups.io; Kinney, Michael D <michael.d.kinney@intel.com>;
>> 'Leif Lindholm' <quic_llindhol@quicinc.com>; 'Andrew Fish'
>> <afish@apple.com>
>> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
>> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
>> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
>>
>> On 10/31/23 17:07, Michael Kubacki wrote:
>>> On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
>>>> On 10/27/23 23:11, Michael Kubacki wrote:
>>>>> I'd like to bring attention to Apache License 2.0 code in the
>> CodeQL
>>>>> series I sent to the mailing list for steward review.
>>>>>
>>>>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
>>>>> directory of this patch:
>>>>>
>>>>> https://edk2.groups.io/g/devel/message/109696
>>>>>
>>>>> Please let me know if any next steps are needed.
>>>>
>>>> (1) I don't know if edk2 accepts contributions under Apache License
>> 2.0;
>>>> just want to point out that this license is acceptable in Fedora
>> (and so
>>>> RHEL too), per
>>>> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
>> Assuming
>>>> we're talking about "Apache Software License 2.0".
>>>>
>>> A few submodules are using the Apache License 2.0.
>>>
>>> For example, OpenSSL v3:
>>>
>>> - https://www.openssl.org/source/license.html
>>> -
>> https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=H
>> EAD
>>>
>>> And cmoocka:
>>>
>>> - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
>>
>> Thanks for identifying those!
>>
>>>
>>> I'm unaware if there was precedent specific to submodules, but I'd
>>> expect terms like redistribution clauses to already apply regardless
>> of
>>> tooling used to acquire the source code into the project.
>>
>> I believe the same.
>>
>>>
>>>> (2) Should we extend "License Details" and "Code Contributions" in
>>>> "ReadMe.rst"?
>>>>
>>> My initial thought was to add the path
>> (BaseTools\Plugin\CodeQL\analyze)
>>> to "License Details".
>>>
>>> Was that all that you had in mind or to elaborate further in that
>>> section on the licenses used/allowed?
>>
>> - Under "License Details", simply list BaseTools/Plugin/CodeQL/analyze
>> as one of the "components" (i.e., first list) that use a "additional
>> licenses".
>>
>> - Under "Code Contributions", we should list "Apache Software License
>> 2.0" as acceptable -- both for this new feature, and for the *already*
>> upstream stuff that you found above.
>>
>>>
>>>> (3) Should the new files (under Apache License 2.0) use an SPDX
>>>> identifier tag, for easy greppability?
>>>>
>>> I'd be happy to add that.
>>
>> That's a relief, I didn't know whether you could touch up the license
>> blocks!
>>
>> Thanks!
>> Laszlo
>>
>>>
>>>> (4) With the addition, downstream packages (such as RPMs in Fedora
>> and
>>>> RHEL) might want to spell out the short SPDX identifier of the new
>>>> license too in their License: tags.
>>>>
>>>> Laszlo
>>>>
>>>>
>>>>
>>>> 
>>>>
>>>
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110444): https://edk2.groups.io/g/devel/message/110444
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael D Kinney]

Hi Pedro,

SPDX is only for licenses, not copyrights.

There used to be a requirement for Intel copyright end year to be updated.
That is no longer a requirement, and should reduce the churn on the file
headers.

Mike


> -----Original Message-----
> From: Pedro Falcato <pedro.falcato@gmail.com>
> Sent: Tuesday, October 31, 2023 12:23 PM
> To: devel@edk2.groups.io; lersek@redhat.com
> Cc: mikuback@linux.microsoft.com; Kinney, Michael D
> <michael.d.kinney@intel.com>; Leif Lindholm
> <quic_llindhol@quicinc.com>; Andrew Fish <afish@apple.com>; Sean
> Brogan <sean.brogan@microsoft.com>; Gerd Hoffmann <kraxel@redhat.com>;
> Oliver Steffen <osteffen@redhat.com>
> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> 
> On Sat, Oct 28, 2023 at 12:51 PM Laszlo Ersek <lersek@redhat.com>
> wrote:
> >
> > On 10/27/23 23:11, Michael Kubacki wrote:
> > > I'd like to bring attention to Apache License 2.0 code in the
> CodeQL
> > > series I sent to the mailing list for steward review.
> > >
> > > In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> > > directory of this patch:
> > >
> > > https://edk2.groups.io/g/devel/message/109696
> > >
> > > Please let me know if any next steps are needed.
> >
> > (1) I don't know if edk2 accepts contributions under Apache License
> 2.0;
> > just want to point out that this license is acceptable in Fedora
> (and so
> > RHEL too), per
> > <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
> Assuming
> > we're talking about "Apache Software License 2.0".
> >
> > (2) Should we extend "License Details" and "Code Contributions" in
> > "ReadMe.rst"?
> >
> > (3) Should the new files (under Apache License 2.0) use an SPDX
> > identifier tag, for easy greppability?
> 
> I would welcome replacing *all* copyright notices with SPDX tags.
> Would also end the "Copyright (c) Corp Corporation" churn that
> regularly happens in EDK2!
> 
> --
> Pedro


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110445): https://edk2.groups.io/g/devel/message/110445
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael D Kinney]

Hi Michael,

I agree that SPDX is preferred in file headers over license text
in TianoCore projects.

I just do not know what the rules are when you copy a file from
An external project if you can replace without permission from the
owning project since many of the licenses state that the license
and copyrights need to be preserved.

Mike

> -----Original Message-----
> From: Michael Kubacki <mikuback@linux.microsoft.com>
> Sent: Tuesday, October 31, 2023 12:34 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; devel@edk2.groups.io; 'Leif Lindholm'
> <quic_llindhol@quicinc.com>; 'Andrew Fish' <afish@apple.com>
> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> 
> On 10/31/2023 3:19 PM, Kinney, Michael D wrote:
> > Michael,
> >
> > I noticed some of the files had Apache 2.0 license and then
> > you added content under BSD-2-Clause-Patent.  Why wouldn't
> > you continue with the original Apache 2.0 license?
> >
> I will continue with the original license.
> 
> > Also, I am not sure if you can replace the license text with
> > the SPDX identifier if the original file had the text.  I know
> > TianoCore did a license change, but we had to get approval from
> > all contributors.
> >
> I interpreted the earlier question (3) to mean appending an SPDX
> identifier to the existing header.
> 
> I still think there's some value in that for machine readability and
> consistency with the ID being present in most other source files in
> the
> repo. Do we care to have that?
> 
> Note: "Copyright notices" in
> https://spdx.dev/learn/handling-license-info/ instructs not remove or
> modify existing notices.
> 
> > Thanks,
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: Laszlo Ersek <lersek@redhat.com>
> >> Sent: Tuesday, October 31, 2023 10:22 AM
> >> To: Michael Kubacki <mikuback@linux.microsoft.com>;
> >> devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>;
> >> 'Leif Lindholm' <quic_llindhol@quicinc.com>; 'Andrew Fish'
> >> <afish@apple.com>
> >> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
> >> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
> >> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> >>
> >> On 10/31/23 17:07, Michael Kubacki wrote:
> >>> On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
> >>>> On 10/27/23 23:11, Michael Kubacki wrote:
> >>>>> I'd like to bring attention to Apache License 2.0 code in the
> >> CodeQL
> >>>>> series I sent to the mailing list for steward review.
> >>>>>
> >>>>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> >>>>> directory of this patch:
> >>>>>
> >>>>> https://edk2.groups.io/g/devel/message/109696
> >>>>>
> >>>>> Please let me know if any next steps are needed.
> >>>>
> >>>> (1) I don't know if edk2 accepts contributions under Apache
> License
> >> 2.0;
> >>>> just want to point out that this license is acceptable in Fedora
> >> (and so
> >>>> RHEL too), per
> >>>> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
> >> Assuming
> >>>> we're talking about "Apache Software License 2.0".
> >>>>
> >>> A few submodules are using the Apache License 2.0.
> >>>
> >>> For example, OpenSSL v3:
> >>>
> >>> - https://www.openssl.org/source/license.html
> >>> -
> >>
> https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=H
> >> EAD
> >>>
> >>> And cmoocka:
> >>>
> >>> - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
> >>
> >> Thanks for identifying those!
> >>
> >>>
> >>> I'm unaware if there was precedent specific to submodules, but I'd
> >>> expect terms like redistribution clauses to already apply
> regardless
> >> of
> >>> tooling used to acquire the source code into the project.
> >>
> >> I believe the same.
> >>
> >>>
> >>>> (2) Should we extend "License Details" and "Code Contributions"
> in
> >>>> "ReadMe.rst"?
> >>>>
> >>> My initial thought was to add the path
> >> (BaseTools\Plugin\CodeQL\analyze)
> >>> to "License Details".
> >>>
> >>> Was that all that you had in mind or to elaborate further in that
> >>> section on the licenses used/allowed?
> >>
> >> - Under "License Details", simply list
> BaseTools/Plugin/CodeQL/analyze
> >> as one of the "components" (i.e., first list) that use a
> "additional
> >> licenses".
> >>
> >> - Under "Code Contributions", we should list "Apache Software
> License
> >> 2.0" as acceptable -- both for this new feature, and for the
> *already*
> >> upstream stuff that you found above.
> >>
> >>>
> >>>> (3) Should the new files (under Apache License 2.0) use an SPDX
> >>>> identifier tag, for easy greppability?
> >>>>
> >>> I'd be happy to add that.
> >>
> >> That's a relief, I didn't know whether you could touch up the
> license
> >> blocks!
> >>
> >> Thanks!
> >> Laszlo
> >>
> >>>
> >>>> (4) With the addition, downstream packages (such as RPMs in
> Fedora
> >> and
> >>>> RHEL) might want to spell out the short SPDX identifier of the
> new
> >>>> license too in their License: tags.
> >>>>
> >>>> Laszlo
> >>>>
> >>>>
> >>>>
> >>>> 
> >>>>
> >>>
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110446): https://edk2.groups.io/g/devel/message/110446
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Pedro Falcato]

On Tue, Oct 31, 2023 at 7:43 PM Kinney, Michael D
<michael.d.kinney@intel.com> wrote:
>
> Hi Pedro,
>
> SPDX is only for licenses, not copyrights.

IANAL, but several FOSS projects (including Linux) have generally
replaced the "Copyright (c) ..." verbiage with SPDX.
I assume there has to be some legal basis for this, although I don't
know if it depends on the license, etc
(IIRC I /think/ one could state that copyright holders are stored in
git information, but, again, I'm not a lawyer)

-- 
Pedro


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110447): https://edk2.groups.io/g/devel/message/110447
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Michael Kubacki]

I split out the update to Readme.rst as a preliminary change to sending 
a new version of the CodeQL patch series.

I did this to help isolate feedback related to that general licensing 
update from the larger CodeQL series.

https://edk2.groups.io/g/devel/message/110452

Once that is in, I will update the CodeQL series to remove the 
additional BSD-2-Clause-Patent from files that contain Apache 2.0 license.

Thanks,
Michael

On 10/31/2023 3:45 PM, Michael D Kinney wrote:
> Hi Michael,
> 
> I agree that SPDX is preferred in file headers over license text
> in TianoCore projects.
> 
> I just do not know what the rules are when you copy a file from
> An external project if you can replace without permission from the
> owning project since many of the licenses state that the license
> and copyrights need to be preserved.
> 
> Mike
> 
>> -----Original Message-----
>> From: Michael Kubacki <mikuback@linux.microsoft.com>
>> Sent: Tuesday, October 31, 2023 12:34 PM
>> To: Kinney, Michael D <michael.d.kinney@intel.com>; Laszlo Ersek
>> <lersek@redhat.com>; devel@edk2.groups.io; 'Leif Lindholm'
>> <quic_llindhol@quicinc.com>; 'Andrew Fish' <afish@apple.com>
>> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
>> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
>> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
>>
>> On 10/31/2023 3:19 PM, Kinney, Michael D wrote:
>>> Michael,
>>>
>>> I noticed some of the files had Apache 2.0 license and then
>>> you added content under BSD-2-Clause-Patent.  Why wouldn't
>>> you continue with the original Apache 2.0 license?
>>>
>> I will continue with the original license.
>>
>>> Also, I am not sure if you can replace the license text with
>>> the SPDX identifier if the original file had the text.  I know
>>> TianoCore did a license change, but we had to get approval from
>>> all contributors.
>>>
>> I interpreted the earlier question (3) to mean appending an SPDX
>> identifier to the existing header.
>>
>> I still think there's some value in that for machine readability and
>> consistency with the ID being present in most other source files in
>> the
>> repo. Do we care to have that?
>>
>> Note: "Copyright notices" in
>> https://spdx.dev/learn/handling-license-info/ instructs not remove or
>> modify existing notices.
>>
>>> Thanks,
>>>
>>> Mike
>>>
>>>> -----Original Message-----
>>>> From: Laszlo Ersek <lersek@redhat.com>
>>>> Sent: Tuesday, October 31, 2023 10:22 AM
>>>> To: Michael Kubacki <mikuback@linux.microsoft.com>;
>>>> devel@edk2.groups.io; Kinney, Michael D
>> <michael.d.kinney@intel.com>;
>>>> 'Leif Lindholm' <quic_llindhol@quicinc.com>; 'Andrew Fish'
>>>> <afish@apple.com>
>>>> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
>>>> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
>>>> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
>>>>
>>>> On 10/31/23 17:07, Michael Kubacki wrote:
>>>>> On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
>>>>>> On 10/27/23 23:11, Michael Kubacki wrote:
>>>>>>> I'd like to bring attention to Apache License 2.0 code in the
>>>> CodeQL
>>>>>>> series I sent to the mailing list for steward review.
>>>>>>>
>>>>>>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
>>>>>>> directory of this patch:
>>>>>>>
>>>>>>> https://edk2.groups.io/g/devel/message/109696
>>>>>>>
>>>>>>> Please let me know if any next steps are needed.
>>>>>>
>>>>>> (1) I don't know if edk2 accepts contributions under Apache
>> License
>>>> 2.0;
>>>>>> just want to point out that this license is acceptable in Fedora
>>>> (and so
>>>>>> RHEL too), per
>>>>>> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
>>>> Assuming
>>>>>> we're talking about "Apache Software License 2.0".
>>>>>>
>>>>> A few submodules are using the Apache License 2.0.
>>>>>
>>>>> For example, OpenSSL v3:
>>>>>
>>>>> - https://www.openssl.org/source/license.html
>>>>> -
>>>>
>> https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=H
>>>> EAD
>>>>>
>>>>> And cmoocka:
>>>>>
>>>>> - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
>>>>
>>>> Thanks for identifying those!
>>>>
>>>>>
>>>>> I'm unaware if there was precedent specific to submodules, but I'd
>>>>> expect terms like redistribution clauses to already apply
>> regardless
>>>> of
>>>>> tooling used to acquire the source code into the project.
>>>>
>>>> I believe the same.
>>>>
>>>>>
>>>>>> (2) Should we extend "License Details" and "Code Contributions"
>> in
>>>>>> "ReadMe.rst"?
>>>>>>
>>>>> My initial thought was to add the path
>>>> (BaseTools\Plugin\CodeQL\analyze)
>>>>> to "License Details".
>>>>>
>>>>> Was that all that you had in mind or to elaborate further in that
>>>>> section on the licenses used/allowed?
>>>>
>>>> - Under "License Details", simply list
>> BaseTools/Plugin/CodeQL/analyze
>>>> as one of the "components" (i.e., first list) that use a
>> "additional
>>>> licenses".
>>>>
>>>> - Under "Code Contributions", we should list "Apache Software
>> License
>>>> 2.0" as acceptable -- both for this new feature, and for the
>> *already*
>>>> upstream stuff that you found above.
>>>>
>>>>>
>>>>>> (3) Should the new files (under Apache License 2.0) use an SPDX
>>>>>> identifier tag, for easy greppability?
>>>>>>
>>>>> I'd be happy to add that.
>>>>
>>>> That's a relief, I didn't know whether you could touch up the
>> license
>>>> blocks!
>>>>
>>>> Thanks!
>>>> Laszlo
>>>>
>>>>>
>>>>>> (4) With the addition, downstream packages (such as RPMs in
>> Fedora
>>>> and
>>>>>> RHEL) might want to spell out the short SPDX identifier of the
>> new
>>>>>> license too in their License: tags.
>>>>>>
>>>>>> Laszlo
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>
> 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110453): https://edk2.groups.io/g/devel/message/110453
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] CodeQL and Apache Licensed Files

[Leif Lindholm]

On 2023-10-31 19:49, Pedro Falcato wrote:
> On Tue, Oct 31, 2023 at 7:43 PM Kinney, Michael D
> <michael.d.kinney@intel.com> wrote:
>>
>> Hi Pedro,
>>
>> SPDX is only for licenses, not copyrights.
> 
> IANAL, but several FOSS projects (including Linux) have generally
> replaced the "Copyright (c) ..." verbiage with SPDX.

They may have decided to get rid of the copyright statements at the same 
time as they switched to SPDX instead of full boilerplate licenses, but 
that is not the same thing.

/
     Leif

> I assume there has to be some legal basis for this, although I don't
> know if it depends on the license, etc
> (IIRC I /think/ one could state that copyright holders are stored in
> git information, but, again, I'm not a lawyer)
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110475): https://edk2.groups.io/g/devel/message/110475
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-