Re: [edk2-devel] CodeQL and Apache Licensed Files

["Michael D Kinney" <michael.d.kinney@intel.com>]

Hi Michael,

I agree that SPDX is preferred in file headers over license text
in TianoCore projects.

I just do not know what the rules are when you copy a file from
An external project if you can replace without permission from the
owning project since many of the licenses state that the license
and copyrights need to be preserved.

Mike

> -----Original Message-----
> From: Michael Kubacki <mikuback@linux.microsoft.com>
> Sent: Tuesday, October 31, 2023 12:34 PM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; devel@edk2.groups.io; 'Leif Lindholm'
> <quic_llindhol@quicinc.com>; 'Andrew Fish' <afish@apple.com>
> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> 
> On 10/31/2023 3:19 PM, Kinney, Michael D wrote:
> > Michael,
> >
> > I noticed some of the files had Apache 2.0 license and then
> > you added content under BSD-2-Clause-Patent.  Why wouldn't
> > you continue with the original Apache 2.0 license?
> >
> I will continue with the original license.
> 
> > Also, I am not sure if you can replace the license text with
> > the SPDX identifier if the original file had the text.  I know
> > TianoCore did a license change, but we had to get approval from
> > all contributors.
> >
> I interpreted the earlier question (3) to mean appending an SPDX
> identifier to the existing header.
> 
> I still think there's some value in that for machine readability and
> consistency with the ID being present in most other source files in
> the
> repo. Do we care to have that?
> 
> Note: "Copyright notices" in
> https://spdx.dev/learn/handling-license-info/ instructs not remove or
> modify existing notices.
> 
> > Thanks,
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: Laszlo Ersek <lersek@redhat.com>
> >> Sent: Tuesday, October 31, 2023 10:22 AM
> >> To: Michael Kubacki <mikuback@linux.microsoft.com>;
> >> devel@edk2.groups.io; Kinney, Michael D
> <michael.d.kinney@intel.com>;
> >> 'Leif Lindholm' <quic_llindhol@quicinc.com>; 'Andrew Fish'
> >> <afish@apple.com>
> >> Cc: 'Sean Brogan' <sean.brogan@microsoft.com>; Gerd Hoffmann
> >> <kraxel@redhat.com>; Oliver Steffen <osteffen@redhat.com>
> >> Subject: Re: [edk2-devel] CodeQL and Apache Licensed Files
> >>
> >> On 10/31/23 17:07, Michael Kubacki wrote:
> >>> On 10/28/2023 7:51 AM, Laszlo Ersek wrote:
> >>>> On 10/27/23 23:11, Michael Kubacki wrote:
> >>>>> I'd like to bring attention to Apache License 2.0 code in the
> >> CodeQL
> >>>>> series I sent to the mailing list for steward review.
> >>>>>
> >>>>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze
> >>>>> directory of this patch:
> >>>>>
> >>>>> https://edk2.groups.io/g/devel/message/109696
> >>>>>
> >>>>> Please let me know if any next steps are needed.
> >>>>
> >>>> (1) I don't know if edk2 accepts contributions under Apache
> License
> >> 2.0;
> >>>> just want to point out that this license is acceptable in Fedora
> >> (and so
> >>>> RHEL too), per
> >>>> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>.
> >> Assuming
> >>>> we're talking about "Apache Software License 2.0".
> >>>>
> >>> A few submodules are using the Apache License 2.0.
> >>>
> >>> For example, OpenSSL v3:
> >>>
> >>> - https://www.openssl.org/source/license.html
> >>> -
> >>
> https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=H
> >> EAD
> >>>
> >>> And cmoocka:
> >>>
> >>> - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
> >>
> >> Thanks for identifying those!
> >>
> >>>
> >>> I'm unaware if there was precedent specific to submodules, but I'd
> >>> expect terms like redistribution clauses to already apply
> regardless
> >> of
> >>> tooling used to acquire the source code into the project.
> >>
> >> I believe the same.
> >>
> >>>
> >>>> (2) Should we extend "License Details" and "Code Contributions"
> in
> >>>> "ReadMe.rst"?
> >>>>
> >>> My initial thought was to add the path
> >> (BaseTools\Plugin\CodeQL\analyze)
> >>> to "License Details".
> >>>
> >>> Was that all that you had in mind or to elaborate further in that
> >>> section on the licenses used/allowed?
> >>
> >> - Under "License Details", simply list
> BaseTools/Plugin/CodeQL/analyze
> >> as one of the "components" (i.e., first list) that use a
> "additional
> >> licenses".
> >>
> >> - Under "Code Contributions", we should list "Apache Software
> License
> >> 2.0" as acceptable -- both for this new feature, and for the
> *already*
> >> upstream stuff that you found above.
> >>
> >>>
> >>>> (3) Should the new files (under Apache License 2.0) use an SPDX
> >>>> identifier tag, for easy greppability?
> >>>>
> >>> I'd be happy to add that.
> >>
> >> That's a relief, I didn't know whether you could touch up the
> license
> >> blocks!
> >>
> >> Thanks!
> >> Laszlo
> >>
> >>>
> >>>> (4) With the addition, downstream packages (such as RPMs in
> Fedora
> >> and
> >>>> RHEL) might want to spell out the short SPDX identifier of the
> new
> >>>> license too in their License: tags.
> >>>>
> >>>> Laszlo
> >>>>
> >>>>
> >>>>
> >>>> 
> >>>>
> >>>
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110446): https://edk2.groups.io/g/devel/message/110446
Mute This Topic: https://groups.io/mt/102230244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-