Re: [edk2-devel] [PATCH v4 8/8] ReadMe.rst: Add CodeQL/analyze directory under other licenses

["Laszlo Ersek" <lersek@redhat.com>]

On 11/2/23 21:03, Michael Kubacki wrote:
> From: Michael Kubacki <michael.kubacki@microsoft.com>
> 
> The code in this directory is licensed under Apache License, Version
> 2.0. Therefore, the directory is listed under paths with licenses
> other than BSD-2-Clause Plus Patent. The directory link points to the
> complete Apache License, Version 2.0 on apache.org.
> 
> Cc: Andrew Fish <afish@apple.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
>  ReadMe.rst | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/ReadMe.rst b/ReadMe.rst
> index 06fb122ef382..808ccd37af50 100644
> --- a/ReadMe.rst
> +++ b/ReadMe.rst
> @@ -73,6 +73,7 @@ The majority of the content in the EDK II open source project uses a
>  source project contains the following components that are covered by additional
>  licenses:
>  
> +-  `BaseTools/Plugin/CodeQL/analyze <https://www.apache.org/licenses/LICENSE-2.0>`__
>  -  `BaseTools/Source/C/LzmaCompress <BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>`__
>  -  `BaseTools/Source/C/VfrCompile/Pccts <BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>`__
>  -  `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c <CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c>`__

I've carefully read through the cover letter now (impressive work!). I
have some questions, with reference to Leif's comment at
<https://edk2.groups.io/g/devel/message/110475> as well:

- Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to
contain a standalone "COPYING" or similar file?

If not, then the current patch seems fine:

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

- I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/
contents (three files) originate from. If it was authored by Microsoft,
then I don't understand (per v4 series changelog in the cover letter)
why the Microsoft copyright notice had to be removed. And if it is not
original work by Microsoft, but work derived by Microsoft from other
original work, then it should contain both the original copyright
notices, and Microsofts.

The file-top comments in those three files reference

  https://github.com/advanced-security/filter-sarif

as the origin. Do the original files in that repository contain
copyright notices? (Or does their containing project come with a COPYING
or similar file?) I'm not looking for a license specification (SPDX or
natural language), but specifically for copyright notices on the
original work.

Does the <https://github.com/advanced-security> organization perhaps use
an over-arching copyright notice somewhere?

If none of those apply, then I agree that the content added in patch#2
("BaseTools/Plugin/CodeQL: Add CodeQL build plugin") appears fine. Very
unusual to me, but IANAL...

Thanks,
Laszlo



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110620): https://edk2.groups.io/g/devel/message/110620
Mute This Topic: https://groups.io/mt/102350800/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/xyzzy [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-