[RFC PATCH] lint: Warn about kernel modules with a suspect license.

DoneSubmitted by Maxime Devos.
Details
2 participants
  • Maxime Devos
  • zimoun
Owner
unassigned
Severity
normal
M
M
Maxime Devos wrote on 2 Sep 23:42 +0200
Download
(address . guix-patches@gnu.org)
5c4caf742c5dbe2a02aede2b20ff80eae7bc352a.camel@telenet.be
Download
X-Debbugs-CC: guix-devel@gnu.org
[CC'ing guix-devel@gnu.org because a wider audience seems in order?]
Hi guix,
This patch adds a 'suspect-license' linter detecting some suspiciousvalues in the license fields of linux modules:
gnu/packages/file-systems.scm:1317:13: zfs@2.1.0: license appears incompatible with the Linux kernelgnu/packages/linux.scm:1185:13: acpi-call-linux-module@1.2.1: license appears incompatible with the Linux kernelgnu/packages/linux.scm:8205:15: ttyebus-linux-module@1.5-0.fe4332a: license appears incompatible with the Linux kernel
For zfs, the issue is the CDDL license. For the others, the issueis the gpl3+ license. See the article by the SFLC for why this linterdetets ZFS:
https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders.
I wrote a little about the CDDL-GPL incompatibility issue(most likely a GPL violation?) at https://issues.guix.gnu.org/45692#43.
Greetings,Maxime.
Download
From 851cf20b7d5aed45c3331781afef8de3961f4bb4 Mon Sep 17 00:00:00 2001From: Maxime Devos <maximedevos@telenet.be>Date: Thu, 2 Sep 2021 23:30:15 +0200Subject: [PATCH] lint: Warn about kernel modules with a suspect license.
* guix/lint.scm (check-suspect-license): New linter. (%local-checkers)[suspect-license]: Register it.--- guix/lint.scm | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
Toggle diff (57 lines)diff --git a/guix/lint.scm b/guix/lint.scmindex ffd3f7007e..3a7f3be327 100644--- a/guix/lint.scm+++ b/guix/lint.scm@@ -34,6 +34,7 @@ #:use-module (guix store) #:autoload (guix base16) (bytevector->base16-string) #:use-module (guix base32)+ #:use-module (guix build-system) #:use-module (guix diagnostics) #:use-module (guix download) #:use-module (guix ftp-client)@@ -1347,6 +1348,31 @@ of the propagated inputs it pulls in." (make-warning package (G_ "invalid license field") #:field 'license))))) +(define (check-suspect-license package)+ "Warn about suspicious license combinations in PACKAGE."+ ;; Use 'build-system-name' instead of comparing the build+ ;; system directly with 'linux-module-build-system' to avoid+ ;; loading (guix build-system linux-module) when no Linux modules+ ;; are linted.+ (define linux-module?+ (eq? 'linux-module+ (build-system-name (package-build-system package))))+ ;; This has plenty of false negatives and should+ ;; have very few false positives.+ (define gpl2-only-incompatible?+ ;; The Linux kernel is GPL-2-only, so GPL3 and later are out.+ ;; The GPL and CDDL appear to be incompatible, see+ ;; <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/>+ ;; and <https://www.fsf.org/licensing/zfs-and-linux>.+ (memq (package-license package)+ (list gpl3 gpl3+ cddl1.0)))+ (if (and linux-module? gpl2-only-incompatible?)+ (list+ (make-warning package+ (G_ "license appears incompatible with the Linux kernel")+ #:field 'license))+ '()))+ (define (current-vulnerabilities*) "Like 'current-vulnerabilities', but return the empty list upon networking or HTTP errors. This allows network-less operation and makes problems with@@ -1762,6 +1788,10 @@ them for PACKAGE." (description "Make sure the 'license' field is a <license> \ or a list thereof") (check check-license))+ (lint-checker+ (name 'suspect-license)+ (description "Detect some suspect combinations of licenses")+ (check check-suspect-license)) (lint-checker (name 'optional-tests) (description "Make sure tests are only run when requested")-- 2.33.0
Download
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFFVRccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7vIqAP9GYY1GgJxtzVw8LacwerPxe9w1pL8Ecds2P94pYpa+YAEAxugfS4u8IyAINYaxnFnBoWpx0LzimyM09O+AKPUYkgw==uzKI-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 3 Sep 00:20 +0200
Download
(address . 50347@debbugs.gnu.org)(address . guix-devel@gnu.org)
bb816cb9ef0d8a33b9903114a13638351d63ea58.camel@telenet.be
Download
I've discussed this with dstolfa on IRC:https://logs.guix.gnu.org/guix/2021-09-02.log#234707https://logs.guix.gnu.org/guix/2021-09-03.log
Greetings,Maxime.
Download
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTFORxccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7nvGAP9QYfcf3EwXdEbafNA/bfy2CtJDg6ieKcZv+kg4PAhiYAEAowoTTpgEAXtn+r65YkT8cxgabhX2/Rz6TFGTfdEimAs==hcpE-----END PGP SIGNATURE-----

Z
Z
zimoun wrote on 6 Sep 10:23 +0200
Download
(address . guix-devel@gnu.org)
868s0ajenb.fsf@gmail.com
Download
Hi Maxime,
On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:
Toggle quote (3 lines)> This patch adds a 'suspect-license' linter detecting some suspicious> values in the license fields of linux modules:
I do not know if it is worth to add a linter for really few cornercases, IMHO.
Toggle quote (6 lines)> For zfs, the issue is the CDDL license. For the others, the issue> is the gpl3+ license. See the article by the SFLC for why this linter> detets ZFS:>> <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>.
The issue is about distributing binaries, IIUC. From my point of view,a such linter should check X-license packages using any build-system but“linked“ to incompatible X-license packages. Well, I do not know if itis worth to automate this since it appears to me really sparse cornercases.
Cheers,simon
M
M
Maxime Devos wrote on 8 Sep 22:42 +0200
Download
0f39f83c839a54a82e2c7abcdec554754d876810.camel@telenet.be
Download
zimoun schreef op ma 06-09-2021 om 10:23 [+0200]:
Toggle quote (22 lines)> Hi Maxime,> > On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote:> > > This patch adds a 'suspect-license' linter detecting some suspicious> > values in the license fields of linux modules:> > I do not know if it is worth to add a linter for really few corner> cases, IMHO.> > > For zfs, the issue is the CDDL license. For the others, the issue> > is the gpl3+ license. See the article by the SFLC for why this linter> > detets ZFS:> > > > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>;.> > The issue is about distributing binaries, IIUC. From my point of view,> a such linter should check X-license packages using any build-system but> “linked“ to incompatible X-license packages. Well, I do not know if it> is worth to automate this since it appears to me really sparse corner> cases.
It appears that the proposed linter isn't very useful.Closing.
Greetings,Maxime
Download
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYTkgOxccbWF4aW1lZGV2b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7hccAP9kJHnw4Zl5YOgAiLVG3Vs0UcTWMn3zhQtZ4mhp+f0U+wEAvnbD2EWNzhp9KH1G04syX5nW3RH46R5f2lNTtS6rmwg==eDiz-----END PGP SIGNATURE-----

Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 50347@debbugs.gnu.org