From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 0938A740040 for ; Fri, 3 Nov 2023 14:16:39 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=C428BdROzEFE+VkB61S4bxKhJLUd0GQdKuLmJbGNtE4=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:Message-ID:Date:MIME-Version:User-Agent:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699020998; v=1; b=lUFIExEpVQkiiHvD+L1FlT3sNwJ+Q43e4wM8h163vXnbDYnkQPvQFrzMytUcWEFil2HfvHr+ otFan2bxzoalcLhWFQmT1XKcIi83q7hiAPwVzpc9X12RbpdiYP0jNT71TIU1zxC2HakpC7dirZS V9zoIT36AD7EHcrkr+7Yxzu0= X-Received: by 127.0.0.2 with SMTP id iRaZYY7687511xZHJxnFQFMV; Fri, 03 Nov 2023 07:16:38 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web10.53193.1699020998049121093 for ; Fri, 03 Nov 2023 07:16:38 -0700 X-Received: from [192.168.4.22] (unknown [47.201.241.95]) by linux.microsoft.com (Postfix) with ESMTPSA id 1542120B74C0; Fri, 3 Nov 2023 07:16:36 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 1542120B74C0 Message-ID: Date: Fri, 3 Nov 2023 10:16:35 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses To: devel@edk2.groups.io, lersek@redhat.com Cc: Andrew Fish , Leif Lindholm , Michael D Kinney References: <20231102200313.1010-1-mikuback@linux.microsoft.com> <20231102200313.1010-9-mikuback@linux.microsoft.com> From: "Michael Kubacki" In-Reply-To: Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: m79XUpF7GeQODoEo7jJfeBktx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=lUFIExEp; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 11/3/2023 9:06 AM, Laszlo Ersek wrote: > On 11/2/23 21:03, Michael Kubacki wrote: >> From: Michael Kubacki >> >> The code in this directory is licensed under Apache License, Version >> 2.0. Therefore, the directory is listed under paths with licenses >> other than BSD-2-Clause Plus Patent. The directory link points to the >> complete Apache License, Version 2.0 on apache.org. >> >> Cc: Andrew Fish >> Cc: Laszlo Ersek >> Cc: Leif Lindholm >> Cc: Michael D Kinney >> Signed-off-by: Michael Kubacki >> --- >> ReadMe.rst | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/ReadMe.rst b/ReadMe.rst >> index 06fb122ef382..808ccd37af50 100644 >> --- a/ReadMe.rst >> +++ b/ReadMe.rst >> @@ -73,6 +73,7 @@ The majority of the content in the EDK II open source = project uses a >> source project contains the following components that are covered by a= dditional >> licenses: >> =20 >> +- `BaseTools/Plugin/CodeQL/analyze `__ >> - `BaseTools/Source/C/LzmaCompress `__ >> - `BaseTools/Source/C/VfrCompile/Pccts `__ >> - `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c `__ >=20 > I've carefully read through the cover letter now (impressive work!). I > have some questions, with reference to Leif's comment at > as well: >=20 > - Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to > contain a standalone "COPYING" or similar file? >=20 > If not, then the current patch seems fine: >=20 > Reviewed-by: Laszlo Ersek >=20 I wasn't aware of anything further needed for the Apache License 2.0.=20 I'm familiar with COPYING in the context of GNU licensing=20 (https://www.gnu.org/licenses/gpl-howto.html). I don't see it applying=20 directly to the Apache licensing process as I understand it. > - I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/ > contents (three files) originate from. If it was authored by Microsoft, > then I don't understand (per v4 series changelog in the cover letter) > why the Microsoft copyright notice had to be removed. And if it is not > original work by Microsoft, but work derived by Microsoft from other > original work, then it should contain both the original copyright > notices, and Microsofts. >=20 Because these are only a couple files, I tried to follow the guidance in=20 "To apply the Apache License to specific files in your work..." in "How=20 To Apply the Apache License to Your Work" in=20 https://www.apache.org/licenses/LICENSE-2.0. For those files I: 1. Made the upper text clearly state Apache License Version 2.0 with a=20 link to apache.org/licenses. 2. Included the boilerplate text as given in the above link for=20 "licensing specific files in your work". 3. Preserved any existing copyrights. - globber.py had a pre-existing copyright preserved - analyze_filter.py did not have one in the source Python file or its LICENSE file 4. Appended text stating the source of the files and a brief summary of=20 the changes in this copy relative to the original. > The file-top comments in those three files reference >=20 > https://github.com/advanced-security/filter-sarif >=20 > as the origin. Do the original files in that repository contain > copyright notices? (Or does their containing project come with a COPYING > or similar file?) I'm not looking for a license specification (SPDX or > natural language), but specifically for copyright notices on the > original work. >=20 All copyright notices from original files are preserved. https://github.com/advanced-security itself actually includes a local=20 copy of globber.py=20 https://github.com/advanced-security/filter-sarif/blob/main/globber.py. I dropped the Microsoft copyright in those specific files because my=20 contributions the those files were not significant. If there are other=20 factors to consider, please let me know and I will reconsider. > Does the organization perhaps use > an over-arching copyright notice somewhere? >=20 I couldn't find anything. > If none of those apply, then I agree that the content added in patch#2 > ("BaseTools/Plugin/CodeQL: Add CodeQL build plugin") appears fine. Very > unusual to me, but IANAL... >=20 > Thanks, > Laszlo >=20 >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110627): https://edk2.groups.io/g/devel/message/110627 Mute This Topic: https://groups.io/mt/102350800/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-