GNU bug report logs - #50347
[RFC PATCH] lint: Warn about kernel modules with a suspect license.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 50347 in the body.
You can then email your comments to 50347 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: guix-patches <at> gnu.org
Subject: [RFC PATCH] lint: Warn about kernel modules with a suspect license.
Date: Thu, 02 Sep 2021 23:42:45 +0200

[Message part 1 (text/plain, inline)]

X-Debbugs-CC: guix-devel <at> gnu.org

[CC'ing guix-devel <at> gnu.org because a wider audience seems in order?]

Hi guix,

This patch adds a 'suspect-license' linter detecting some suspicious
values in the license fields of linux modules:

gnu/packages/file-systems.scm:1317:13: zfs <at> 2.1.0: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:1185:13: acpi-call-linux-module <at> 1.2.1: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:8205:15: ttyebus-linux-module <at> 1.5-0.fe4332a: license appears incompatible with the Linux kernel

For zfs, the issue is the CDDL license.  For the others, the issue
is the gpl3+ license.  See the article by the SFLC for why this linter
detets ZFS:

<https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>.

I wrote a little about the CDDL-GPL incompatibility issue
(most likely a GPL violation?) at <https://issues.guix.gnu.org/45692#43>.

Greetings,
Maxime.

[0001-lint-Warn-about-kernel-modules-with-a-suspect-licens.patch (text/x-patch, inline)]

From 851cf20b7d5aed45c3331781afef8de3961f4bb4 Mon Sep 17 00:00:00 2001
From: Maxime Devos <maximedevos <at> telenet.be>
Date: Thu, 2 Sep 2021 23:30:15 +0200
Subject: [PATCH] lint: Warn about kernel modules with a suspect license.

* guix/lint.scm
  (check-suspect-license): New linter.
  (%local-checkers)[suspect-license]: Register it.
---
 guix/lint.scm | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/guix/lint.scm b/guix/lint.scm
index ffd3f7007e..3a7f3be327 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -34,6 +34,7 @@
   #:use-module (guix store)
   #:autoload   (guix base16) (bytevector->base16-string)
   #:use-module (guix base32)
+  #:use-module (guix build-system)
   #:use-module (guix diagnostics)
   #:use-module (guix download)
   #:use-module (guix ftp-client)
@@ -1347,6 +1348,31 @@ of the propagated inputs it pulls in."
       (make-warning package (G_ "invalid license field")
                     #:field 'license)))))
 
+(define (check-suspect-license package)
+  "Warn about suspicious license combinations in PACKAGE."
+  ;; Use 'build-system-name' instead of comparing the build
+  ;; system directly with 'linux-module-build-system' to avoid
+  ;; loading (guix build-system linux-module) when no Linux modules
+  ;; are linted.
+  (define linux-module?
+    (eq? 'linux-module
+         (build-system-name (package-build-system package))))
+  ;; This has plenty of false negatives and should
+  ;; have very few false positives.
+  (define gpl2-only-incompatible?
+    ;; The Linux kernel is GPL-2-only, so GPL3 and later are out.
+    ;; The GPL and CDDL appear to be incompatible, see
+    ;; <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/>
+    ;; and <https://www.fsf.org/licensing/zfs-and-linux>.
+    (memq (package-license package)
+          (list gpl3 gpl3+ cddl1.0)))
+  (if (and linux-module? gpl2-only-incompatible?)
+      (list
+       (make-warning package
+                     (G_ "license appears incompatible with the Linux kernel")
+                     #:field 'license))
+      '()))
+
 (define (current-vulnerabilities*)
   "Like 'current-vulnerabilities', but return the empty list upon networking
 or HTTP errors.  This allows network-less operation and makes problems with
@@ -1762,6 +1788,10 @@ them for PACKAGE."
      (description "Make sure the 'license' field is a <license> \
 or a list thereof")
      (check       check-license))
+   (lint-checker
+     (name        'suspect-license)
+     (description "Detect some suspect combinations of licenses")
+     (check       check-suspect-license))
    (lint-checker
      (name        'optional-tests)
      (description "Make sure tests are only run when requested")
-- 
2.33.0

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 50347 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 50347 <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org
Subject: Re: [bug#50347] [RFC PATCH] lint: Warn about kernel modules with a
 suspect license.
Date: Fri, 03 Sep 2021 00:20:55 +0200

[Message part 1 (text/plain, inline)]

I've discussed this with dstolfa on IRC:
https://logs.guix.gnu.org/guix/2021-09-02.log#234707
https://logs.guix.gnu.org/guix/2021-09-03.log

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 50347 <at> debbugs.gnu.org (full text, mbox):

From: zimoun <zimon.toutoune <at> gmail.com>
To: Maxime Devos <maximedevos <at> telenet.be>, 50347 <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org
Subject: Re: [bug#50347] [RFC PATCH] lint: Warn about kernel modules with a
 suspect license.
Date: Mon, 06 Sep 2021 10:23:52 +0200

Hi Maxime,

On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos <at> telenet.be> wrote:

> This patch adds a 'suspect-license' linter detecting some suspicious
> values in the license fields of linux modules:

I do not know if it is worth to add a linter for really few corner
cases, IMHO.

> For zfs, the issue is the CDDL license.  For the others, the issue
> is the gpl3+ license.  See the article by the SFLC for why this linter
> detets ZFS:
>
> <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>.

The issue is about distributing binaries, IIUC.  From my point of view,
a such linter should check X-license packages using any build-system but
“linked“ to incompatible X-license packages.  Well, I do not know if it
is worth to automate this since it appears to me really sparse corner
cases.

Cheers,
simon

Message #16 received at 50347-done <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: zimoun <zimon.toutoune <at> gmail.com>, 50347-done <at> debbugs.gnu.org
Subject: Re: [bug#50347] [RFC PATCH] lint: Warn about kernel modules with a
 suspect license.
Date: Wed, 08 Sep 2021 22:42:35 +0200

[Message part 1 (text/plain, inline)]

zimoun schreef op ma 06-09-2021 om 10:23 [+0200]:
> Hi Maxime,
> 
> On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos <at> telenet.be> wrote:
> 
> > This patch adds a 'suspect-license' linter detecting some suspicious
> > values in the license fields of linux modules:
> 
> I do not know if it is worth to add a linter for really few corner
> cases, IMHO.
> 
> > For zfs, the issue is the CDDL license.  For the others, the issue
> > is the gpl3+ license.  See the article by the SFLC for why this linter
> > detets ZFS:
> > 
> > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>;.
> 
> The issue is about distributing binaries, IIUC.  From my point of view,
> a such linter should check X-license packages using any build-system but
> “linked“ to incompatible X-license packages.  Well, I do not know if it
> is worth to automate this since it appears to me really sparse corner
> cases.

It appears that the proposed linter isn't very useful.
Closing.

Greetings,
Maxime

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.