Re: [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses

["Michael Kubacki" <mikuback@linux.microsoft.com>]

On 11/3/2023 9:06 AM, Laszlo Ersek wrote:
> On 11/2/23 21:03, Michael Kubacki wrote:
>> From: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> The code in this directory is licensed under Apache License, Version
>> 2.0. Therefore, the directory is listed under paths with licenses
>> other than BSD-2-Clause Plus Patent. The directory link points to the
>> complete Apache License, Version 2.0 on apache.org.
>>
>> Cc: Andrew Fish <afish@apple.com>
>> Cc: Laszlo Ersek <lersek@redhat.com>
>> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
>> ---
>>   ReadMe.rst | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/ReadMe.rst b/ReadMe.rst
>> index 06fb122ef382..808ccd37af50 100644
>> --- a/ReadMe.rst
>> +++ b/ReadMe.rst
>> @@ -73,6 +73,7 @@ The majority of the content in the EDK II open source project uses a
>>   source project contains the following components that are covered by additional
>>   licenses:
>>   
>> +-  `BaseTools/Plugin/CodeQL/analyze <https://www.apache.org/licenses/LICENSE-2.0>`__
>>   -  `BaseTools/Source/C/LzmaCompress <BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>`__
>>   -  `BaseTools/Source/C/VfrCompile/Pccts <BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>`__
>>   -  `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c <CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c>`__
> 
> I've carefully read through the cover letter now (impressive work!). I
> have some questions, with reference to Leif's comment at
> <https://edk2.groups.io/g/devel/message/110475> as well:
> 
> - Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to
> contain a standalone "COPYING" or similar file?
> 
> If not, then the current patch seems fine:
> 
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> 
I wasn't aware of anything further needed for the Apache License 2.0. 
I'm familiar with COPYING in the context of GNU licensing 
(https://www.gnu.org/licenses/gpl-howto.html). I don't see it applying 
directly to the Apache licensing process as I understand it.

> - I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/
> contents (three files) originate from. If it was authored by Microsoft,
> then I don't understand (per v4 series changelog in the cover letter)
> why the Microsoft copyright notice had to be removed. And if it is not
> original work by Microsoft, but work derived by Microsoft from other
> original work, then it should contain both the original copyright
> notices, and Microsofts.
> 
Because these are only a couple files, I tried to follow the guidance in 
"To apply the Apache License to specific files in your work..." in "How 
To Apply the Apache License to Your Work" in 
https://www.apache.org/licenses/LICENSE-2.0.

For those files I:

1. Made the upper text clearly state Apache License Version 2.0 with a 
link to apache.org/licenses.

2. Included the boilerplate text as given in the above link for 
"licensing specific files in your work".

3. Preserved any existing copyrights.

    - globber.py had a pre-existing copyright preserved
    - analyze_filter.py did not have one in the source Python file or
      its LICENSE file

4. Appended text stating the source of the files and a brief summary of 
the changes in this copy relative to the original.

> The file-top comments in those three files reference
> 
>    https://github.com/advanced-security/filter-sarif
> 
> as the origin. Do the original files in that repository contain
> copyright notices? (Or does their containing project come with a COPYING
> or similar file?) I'm not looking for a license specification (SPDX or
> natural language), but specifically for copyright notices on the
> original work.
> 
All copyright notices from original files are preserved.

https://github.com/advanced-security itself actually includes a local 
copy of globber.py 
https://github.com/advanced-security/filter-sarif/blob/main/globber.py.

I dropped the Microsoft copyright in those specific files because my 
contributions the those files were not significant. If there are other 
factors to consider, please let me know and I will reconsider.

> Does the <https://github.com/advanced-security> organization perhaps use
> an over-arching copyright notice somewhere?
> 
I couldn't find anything.

> If none of those apply, then I agree that the content added in patch#2
> ("BaseTools/Plugin/CodeQL: Add CodeQL build plugin") appears fine. Very
> unusual to me, but IANAL...
> 
> Thanks,
> Laszlo
> 
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110627): https://edk2.groups.io/g/devel/message/110627
Mute This Topic: https://groups.io/mt/102350800/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-