From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 617ED74003C for ; Fri, 3 Nov 2023 14:46:30 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=7y9ERvEPp4EfGZWZuZAVa3NB1Mk4uV9AqMX05GwnyGY=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1699022789; v=1; b=emif3Hu6bZJU/4dpMRPYU4JlzEewFMQTlP8MdS2c780lvBceRLpDNe5xBiVefruHrREzZeKH Iyn2Mq+hXZSry3xaJX63my9+/netdZXOrg24LYbhidua7z7gx0G49AwLq166UrY0eumUpug5vtI y+IJy+C4ASI714VHk79oSQWw= X-Received: by 127.0.0.2 with SMTP id NnLdYY7687511xN2BThZwx3f; Fri, 03 Nov 2023 07:46:29 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.54564.1699022788503744580 for ; Fri, 03 Nov 2023 07:46:28 -0700 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-111-hlBMU9S4MJ2JOb62_mkqiw-1; Fri, 03 Nov 2023 10:46:22 -0400 X-MC-Unique: hlBMU9S4MJ2JOb62_mkqiw-1 X-Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 25B5C1C0CCA9; Fri, 3 Nov 2023 14:46:22 +0000 (UTC) X-Received: from [10.39.192.20] (unknown [10.39.192.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08010492BFA; Fri, 3 Nov 2023 14:46:20 +0000 (UTC) Message-ID: Date: Fri, 3 Nov 2023 15:46:19 +0100 MIME-Version: 1.0 Subject: Re: [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses To: Michael Kubacki , devel@edk2.groups.io Cc: Andrew Fish , Leif Lindholm , Michael D Kinney References: <20231102200313.1010-1-mikuback@linux.microsoft.com> <20231102200313.1010-9-mikuback@linux.microsoft.com> From: "Laszlo Ersek" In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: LPE3a6QVY0lrBhjyJS1U0ROyx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=emif3Hu6; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 11/3/23 15:16, Michael Kubacki wrote: > On 11/3/2023 9:06 AM, Laszlo Ersek wrote: >> On 11/2/23 21:03, Michael Kubacki wrote: >>> From: Michael Kubacki >>> >>> The code in this directory is licensed under Apache License, Version >>> 2.0. Therefore, the directory is listed under paths with licenses >>> other than BSD-2-Clause Plus Patent. The directory link points to the >>> complete Apache License, Version 2.0 on apache.org. >>> >>> Cc: Andrew Fish >>> Cc: Laszlo Ersek >>> Cc: Leif Lindholm >>> Cc: Michael D Kinney >>> Signed-off-by: Michael Kubacki >>> --- >>>   ReadMe.rst | 1 + >>>   1 file changed, 1 insertion(+) >>> >>> diff --git a/ReadMe.rst b/ReadMe.rst >>> index 06fb122ef382..808ccd37af50 100644 >>> --- a/ReadMe.rst >>> +++ b/ReadMe.rst >>> @@ -73,6 +73,7 @@ The majority of the content in the EDK II open >>> source project uses a >>>   source project contains the following components that are covered >>> by additional >>>   licenses: >>>   +-  `BaseTools/Plugin/CodeQL/analyze >>> `__ >>>   -  `BaseTools/Source/C/LzmaCompress >>> `__ >>>   -  `BaseTools/Source/C/VfrCompile/Pccts >>> `__ >>>   -  `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c >>> `__ >> >> I've carefully read through the cover letter now (impressive work!). I >> have some questions, with reference to Leif's comment at >> as well: >> >> - Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to >> contain a standalone "COPYING" or similar file? >> >> If not, then the current patch seems fine: >> >> Reviewed-by: Laszlo Ersek >> > I wasn't aware of anything further needed for the Apache License 2.0. > I'm familiar with COPYING in the context of GNU licensing > (https://www.gnu.org/licenses/gpl-howto.html). I don't see it applying > directly to the Apache licensing process as I understand it. Apologies, I was unclear. My point was only that, if the copyright notices were included inside the local subdir, then we should point this reference too to that local file. And, I thought that any project would include such a separate file (which we'd now inherit). Given that that is not the case, just apply my R-b. :) > >> - I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/ >> contents (three files) originate from. If it was authored by Microsoft, >> then I don't understand (per v4 series changelog in the cover letter) >> why the Microsoft copyright notice had to be removed. And if it is not >> original work by Microsoft, but work derived by Microsoft from other >> original work, then it should contain both the original copyright >> notices, and Microsofts. >> > Because these are only a couple files, I tried to follow the guidance in > "To apply the Apache License to specific files in your work..." in "How > To Apply the Apache License to Your Work" in > https://www.apache.org/licenses/LICENSE-2.0. > > For those files I: > > 1. Made the upper text clearly state Apache License Version 2.0 with a > link to apache.org/licenses. > > 2. Included the boilerplate text as given in the above link for > "licensing specific files in your work". > > 3. Preserved any existing copyrights. > >    - globber.py had a pre-existing copyright preserved Ah, indeed! Sorry, I totally missed that. Mea culpa! >    - analyze_filter.py did not have one in the source Python file or >      its LICENSE file OK! Finally, I'm just noticing that "BaseTools/Plugin/CodeQL/analyze/__init__.py" is actually an empty file. This looks like a python trick: https://old.reddit.com/r/learnpython/comments/fuxv57/can_init_py_actually_be_empty/ https://stackoverflow.com/questions/448271/what-is-init-py-for So I now understand this empty __init__.py is not derived from -- it is a genuine addition under edk2, right? But, because it is zero size (intentionally), adding a Microsoft copyright notice to it was deemed overkill. Is that correct? We have a bunch of other, similarly empty __init__.py files: BaseTools/Plugin/DebugMacroCheck/tests/__init__.py BaseTools/Source/C/BrotliCompress/brotli/python/tests/__init__.py BaseTools/Source/Python/Ecc/CParser3/__init__.py BaseTools/Source/Python/Ecc/CParser4/__init__.py BaseTools/Source/Python/Eot/CParser3/__init__.py BaseTools/Source/Python/Eot/CParser4/__init__.py MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/python/tests/__init__.py > > 4. Appended text stating the source of the files and a brief summary of > the changes in this copy relative to the original. > >> The file-top comments in those three files reference >> >>    https://github.com/advanced-security/filter-sarif >> >> as the origin. Do the original files in that repository contain >> copyright notices? (Or does their containing project come with a COPYING >> or similar file?) I'm not looking for a license specification (SPDX or >> natural language), but specifically for copyright notices on the >> original work. >> > All copyright notices from original files are preserved. Indeed -- I'm sorry for missing that previously. > > https://github.com/advanced-security itself actually includes a local > copy of globber.py > https://github.com/advanced-security/filter-sarif/blob/main/globber.py. > > I dropped the Microsoft copyright in those specific files because my > contributions the those files were not significant. If there are other > factors to consider, please let me know and I will reconsider. I think the only other factor here may be that you are creating the file in the edk2 tree. Whenever I create a new file in edk2 (for example by copying an existent library instance, and customizing the code in the new instance, however minimally), I add a Red Hat copyright notice. But I don't insist at all, I was just curious of the reasoning! >> Does the organization perhaps use >> an over-arching copyright notice somewhere? >> > I couldn't find anything. Thanks a lot for checking! I don't object to any of the v4 patches getting merged as posted. Cheers, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110630): https://edk2.groups.io/g/devel/message/110630 Mute This Topic: https://groups.io/mt/102350800/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-