[RFC PATCH] lint: Warn about kernel modules with a suspect license.

  • Done
  • quality assurance status badge
Details
2 participants
  • Maxime Devos
  • zimoun
Owner
unassigned
Submitted by
Maxime Devos
Severity
normal
M
M
Maxime Devos wrote on 2 Sep 2021 23:42
(address . guix-patches@gnu.org)
5c4caf742c5dbe2a02aede2b20ff80eae7bc352a.camel@telenet.be
X-Debbugs-CC: guix-devel@gnu.org

[CC'ing guix-devel@gnu.org because a wider audience seems in order?]

Hi guix,

This patch adds a 'suspect-license' linter detecting some suspicious
values in the license fields of linux modules:

gnu/packages/file-systems.scm:1317:13: zfs@2.1.0: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:1185:13: acpi-call-linux-module@1.2.1: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:8205:15: ttyebus-linux-module@1.5-0.fe4332a: license appears incompatible with the Linux kernel

For zfs, the issue is the CDDL license. For the others, the issue
is the gpl3+ license. See the article by the SFLC for why this linter
detets ZFS:


I wrote a little about the CDDL-GPL incompatibility issue
(most likely a GPL violation?) at https://issues.guix.gnu.org/45692#43.

Greetings,
Maxime.
From 851cf20b7d5aed45c3331781afef8de3961f4bb4 Mon Sep 17 00:00:00 2001
From: Maxime Devos <maximedevos@telenet.be>
Date: Thu, 2 Sep 2021 23:30:15 +0200
Subject: [PATCH] lint: Warn about kernel modules with a suspect license.

* guix/lint.scm
(check-suspect-license): New linter.
(%local-checkers)[suspect-license]: Register it.
---
guix/lint.scm | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)

Toggle diff (57 lines)
diff --git a/guix/lint.scm b/guix/lint.scm
index ffd3f7007e..3a7f3be327 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -34,6 +34,7 @@
#:use-module (guix store)
#:autoload (guix base16) (bytevector->base16-string)
#:use-module (guix base32)
+ #:use-module (guix build-system)
#:use-module (guix diagnostics)
#:use-module (guix download)
#:use-module (guix ftp-client)
@@ -1347,6 +1348,31 @@ of the propagated inputs it pulls in."
(make-warning package (G_ "invalid license field")
#:field 'license)))))
+(define (check-suspect-license package)
+ "Warn about suspicious license combinations in PACKAGE."
+ ;; Use 'build-system-name' instead of comparing the build
+ ;; system directly with 'linux-module-build-system' to avoid
+ ;; loading (guix build-system linux-module) when no Linux modules
+ ;; are linted.
+ (define linux-module?
+ (eq? 'linux-module
+ (build-system-name (package-build-system package))))
+ ;; This has plenty of false negatives and should
+ ;; have very few false positives.
+ (define gpl2-only-incompatible?
+ ;; The Linux kernel is GPL-2-only, so GPL3 and later are out.
+ ;; The GPL and CDDL appear to be incompatible, see
+ ;; <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/>
+ ;; and <https://www.fsf.org/licensing/zfs-and-linux>.
+ (memq (package-license package)
+ (list gpl3 gpl3+ cddl1.0)))
+ (if (and linux-module? gpl2-only-incompatible?)
+ (list
+ (make-warning package
+ (G_ "license appears incompatible with the Linux kernel")
+ #:field 'license))
+ '()))
+
(define (current-vulnerabilities*)
"Like 'current-vulnerabilities', but return the empty list upon networking
or HTTP errors. This allows network-less operation and makes problems with
@@ -1762,6 +1788,10 @@ them for PACKAGE."
(description "Make sure the 'license' field is a <license> \
or a list thereof")
(check check-license))
+ (lint-checker
+ (name 'suspect-license)
+ (description "Detect some suspect combinations of licenses")
+ (check check-suspect-license))
(lint-checker
(name 'optional-tests)
(description "Make sure tests are only run when requested")
--
2.33.0
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFFVRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7vIqAP9GYY1GgJxtzVw8LacwerPxe9w1
pL8Ecds2P94pYpa+YAEAxugfS4u8IyAINYaxnFnBoWpx0LzimyM09O+AKPUYkgw=
=uzKI
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 3 Sep 2021 00:20
(address . 50347@debbugs.gnu.org)(address . guix-devel@gnu.org)
bb816cb9ef0d8a33b9903114a13638351d63ea58.camel@telenet.be
I've discussed this with dstolfa on IRC:

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFORxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7nvGAP9QYfcf3EwXdEbafNA/bfy2CtJD
g6ieKcZv+kg4PAhiYAEAowoTTpgEAXtn+r65YkT8cxgabhX2/Rz6TFGTfdEimAs=
=hcpE
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 6 Sep 2021 10:23
(address . guix-devel@gnu.org)
868s0ajenb.fsf@gmail.com
Hi Maxime,

On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:

Toggle quote (3 lines)
> This patch adds a 'suspect-license' linter detecting some suspicious
> values in the license fields of linux modules:

I do not know if it is worth to add a linter for really few corner
cases, IMHO.

Toggle quote (6 lines)
> For zfs, the issue is the CDDL license. For the others, the issue
> is the gpl3+ license. See the article by the SFLC for why this linter
> detets ZFS:
>
> <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>.

The issue is about distributing binaries, IIUC. From my point of view,
a such linter should check X-license packages using any build-system but
“linked“ to incompatible X-license packages. Well, I do not know if it
is worth to automate this since it appears to me really sparse corner
cases.

Cheers,
simon
M
M
Maxime Devos wrote on 8 Sep 2021 22:42
0f39f83c839a54a82e2c7abcdec554754d876810.camel@telenet.be
zimoun schreef op ma 06-09-2021 om 10:23 [+0200]:
Toggle quote (22 lines)
> Hi Maxime,
>
> On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:
>
> > This patch adds a 'suspect-license' linter detecting some suspicious
> > values in the license fields of linux modules:
>
> I do not know if it is worth to add a linter for really few corner
> cases, IMHO.
>
> > For zfs, the issue is the CDDL license. For the others, the issue
> > is the gpl3+ license. See the article by the SFLC for why this linter
> > detets ZFS:
> >
> > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>;.
>
> The issue is about distributing binaries, IIUC. From my point of view,
> a such linter should check X-license packages using any build-system but
> “linked“ to incompatible X-license packages. Well, I do not know if it
> is worth to automate this since it appears to me really sparse corner
> cases.

It appears that the proposed linter isn't very useful.
Closing.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTkgOxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hccAP9kJHnw4Zl5YOgAiLVG3Vs0UcTW
Mn3zhQtZ4mhp+f0U+wEAvnbD2EWNzhp9KH1G04syX5nW3RH46R5f2lNTtS6rmwg=
=eDiz
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 50347@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 50347
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch