[RFC PATCH] lint: Warn about kernel modules with a suspect license.

DoneSubmitted by Maxime Devos.
Details
2 participants
  • Maxime Devos
  • zimoun
Owner
unassigned
Severity
normal
M
M
Maxime Devos wrote on 2 Sep 2021 23:42
(address . guix-patches@gnu.org)
5c4caf742c5dbe2a02aede2b20ff80eae7bc352a.camel@telenet.be
X-Debbugs-CC: guix-devel@gnu.org

[CC'ing guix-devel@gnu.org because a wider audience seems in order?]

Hi guix,

This patch adds a 'suspect-license' linter detecting some suspicious
values in the license fields of linux modules:

gnu/packages/file-systems.scm:1317:13: zfs@2.1.0: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:1185:13: acpi-call-linux-module@1.2.1: license appears incompatible with the Linux kernel
gnu/packages/linux.scm:8205:15: ttyebus-linux-module@1.5-0.fe4332a: license appears incompatible with the Linux kernel

For zfs, the issue is the CDDL license. For the others, the issue
is the gpl3+ license. See the article by the SFLC for why this linter
detets ZFS:


I wrote a little about the CDDL-GPL incompatibility issue
(most likely a GPL violation?) at https://issues.guix.gnu.org/45692#43.

Greetings,
Maxime.
From 851cf20b7d5aed45c3331781afef8de3961f4bb4 Mon Sep 17 00:00:00 2001
From: Maxime Devos <maximedevos@telenet.be>
Date: Thu, 2 Sep 2021 23:30:15 +0200
Subject: [PATCH] lint: Warn about kernel modules with a suspect license.

* guix/lint.scm
(check-suspect-license): New linter.
(%local-checkers)[suspect-license]: Register it.
---
guix/lint.scm | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)

Toggle diff (57 lines)
diff --git a/guix/lint.scm b/guix/lint.scm
index ffd3f7007e..3a7f3be327 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -34,6 +34,7 @@
   #:use-module (guix store)
   #:autoload   (guix base16) (bytevector->base16-string)
   #:use-module (guix base32)
+  #:use-module (guix build-system)
   #:use-module (guix diagnostics)
   #:use-module (guix download)
   #:use-module (guix ftp-client)
@@ -1347,6 +1348,31 @@ of the propagated inputs it pulls in."
       (make-warning package (G_ "invalid license field")
                     #:field 'license)))))
 
+(define (check-suspect-license package)
+  "Warn about suspicious license combinations in PACKAGE."
+  ;; Use 'build-system-name' instead of comparing the build
+  ;; system directly with 'linux-module-build-system' to avoid
+  ;; loading (guix build-system linux-module) when no Linux modules
+  ;; are linted.
+  (define linux-module?
+    (eq? 'linux-module
+         (build-system-name (package-build-system package))))
+  ;; This has plenty of false negatives and should
+  ;; have very few false positives.
+  (define gpl2-only-incompatible?
+    ;; The Linux kernel is GPL-2-only, so GPL3 and later are out.
+    ;; The GPL and CDDL appear to be incompatible, see
+    ;; <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/>
+    ;; and <https://www.fsf.org/licensing/zfs-and-linux>.
+    (memq (package-license package)
+          (list gpl3 gpl3+ cddl1.0)))
+  (if (and linux-module? gpl2-only-incompatible?)
+      (list
+       (make-warning package
+                     (G_ "license appears incompatible with the Linux kernel")
+                     #:field 'license))
+      '()))
+
 (define (current-vulnerabilities*)
   "Like 'current-vulnerabilities', but return the empty list upon networking
 or HTTP errors.  This allows network-less operation and makes problems with
@@ -1762,6 +1788,10 @@ them for PACKAGE."
      (description "Make sure the 'license' field is a <license> \
 or a list thereof")
      (check       check-license))
+   (lint-checker
+     (name        'suspect-license)
+     (description "Detect some suspect combinations of licenses")
+     (check       check-suspect-license))
    (lint-checker
      (name        'optional-tests)
      (description "Make sure tests are only run when requested")
-- 
2.33.0
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFFVRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7vIqAP9GYY1GgJxtzVw8LacwerPxe9w1
pL8Ecds2P94pYpa+YAEAxugfS4u8IyAINYaxnFnBoWpx0LzimyM09O+AKPUYkgw=
=uzKI
-----END PGP SIGNATURE-----


M
M
Maxime Devos wrote on 3 Sep 2021 00:20
(address . 50347@debbugs.gnu.org)(address . guix-devel@gnu.org)
bb816cb9ef0d8a33b9903114a13638351d63ea58.camel@telenet.be
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFORxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7nvGAP9QYfcf3EwXdEbafNA/bfy2CtJD
g6ieKcZv+kg4PAhiYAEAowoTTpgEAXtn+r65YkT8cxgabhX2/Rz6TFGTfdEimAs=
=hcpE
-----END PGP SIGNATURE-----


Z
Z
zimoun wrote on 6 Sep 2021 10:23
(address . guix-devel@gnu.org)
868s0ajenb.fsf@gmail.com
Hi Maxime,

On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:

Toggle quote (3 lines)
> This patch adds a 'suspect-license' linter detecting some suspicious
> values in the license fields of linux modules:

I do not know if it is worth to add a linter for really few corner
cases, IMHO.

Toggle quote (6 lines)
> For zfs, the issue is the CDDL license. For the others, the issue
> is the gpl3+ license. See the article by the SFLC for why this linter
> detets ZFS:
>
> <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>.

The issue is about distributing binaries, IIUC. From my point of view,
a such linter should check X-license packages using any build-system but
“linked“ to incompatible X-license packages. Well, I do not know if it
is worth to automate this since it appears to me really sparse corner
cases.

Cheers,
simon
M
M
Maxime Devos wrote on 8 Sep 2021 22:42
0f39f83c839a54a82e2c7abcdec554754d876810.camel@telenet.be
zimoun schreef op ma 06-09-2021 om 10:23 [+0200]:
Toggle quote (22 lines)
> Hi Maxime,
>
> On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:
>
> > This patch adds a 'suspect-license' linter detecting some suspicious
> > values in the license fields of linux modules:
>
> I do not know if it is worth to add a linter for really few corner
> cases, IMHO.
>
> > For zfs, the issue is the CDDL license. For the others, the issue
> > is the gpl3+ license. See the article by the SFLC for why this linter
> > detets ZFS:
> >
> > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>;.
>
> The issue is about distributing binaries, IIUC. From my point of view,
> a such linter should check X-license packages using any build-system but
> “linked“ to incompatible X-license packages. Well, I do not know if it
> is worth to automate this since it appears to me really sparse corner
> cases.

It appears that the proposed linter isn't very useful.
Closing.

Greetings,
Maxime
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTkgOxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hccAP9kJHnw4Zl5YOgAiLVG3Vs0UcTW
Mn3zhQtZ4mhp+f0U+wEAvnbD2EWNzhp9KH1G04syX5nW3RH46R5f2lNTtS6rmwg=
=eDiz
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 50347@debbugs.gnu.org