Hi Legal
The 'sgx-sdk' package is currently open for review with a view to adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444
One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of dlmalloc, and he apparently suggested that since CC0 is a public domain license, they can just add a second license header of their choosing to the source files and Fedora can then ignore the orignial CC0 license.
This smells fishy to me, as I can't come with rationale for why adding a second "BSD" license header to the source file and justify Fedora ignoring the original CC0. The original code would still explicitly not have a patent grant, and an extra license doesn't seem to alter that fact.
It was pointed out that this approach has already been taken by OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/...
OpenJDK though would be grandfathered in, since it existed in Fedora before CC0 was forbidden, so I'm not sure that can be relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion that adding a 2nd license header allows Fedora to ignore the original CC0 license. If it is true, then it would appear to make the whole exercise of banning CC0 effectively pointless.
I had also suggested downgrading to an older version of dlmalloc which had the CC Public Domain license, rather than CC0, but the sgx-sdk maintainers rejected that as they're concerned it has security relevant flaws.
With regards, Daniel
Does anyone have feedback on this license review questionmark
On Tue, Aug 29, 2023 at 12:11:38PM +0100, Daniel P. Berrangé wrote:
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444
One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of dlmalloc, and he apparently suggested that since CC0 is a public domain license, they can just add a second license header of their choosing to the source files and Fedora can then ignore the orignial CC0 license.
This smells fishy to me, as I can't come with rationale for why adding a second "BSD" license header to the source file and justify Fedora ignoring the original CC0. The original code would still explicitly not have a patent grant, and an extra license doesn't seem to alter that fact.
It was pointed out that this approach has already been taken by OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/...
OpenJDK though would be grandfathered in, since it existed in Fedora before CC0 was forbidden, so I'm not sure that can be relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion that adding a 2nd license header allows Fedora to ignore the original CC0 license. If it is true, then it would appear to make the whole exercise of banning CC0 effectively pointless.
I had also suggested downgrading to an older version of dlmalloc which had the CC Public Domain license, rather than CC0, but the sgx-sdk maintainers rejected that as they're concerned it has security relevant flaws.
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
With regards, Daniel
On Thu, Sep 7, 2023 at 11:35 AM Daniel P. Berrangé berrange@redhat.com wrote:
Does anyone have feedback on this license review questionmark
On Tue, Aug 29, 2023 at 12:11:38PM +0100, Daniel P. Berrangé wrote:
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444
One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of dlmalloc, and he apparently suggested that since CC0 is a public domain license, they can just add a second license header of their choosing to the source files and Fedora can then ignore the orignial CC0 license.
This smells fishy to me, as I can't come with rationale for why adding a second "BSD" license header to the source file and justify Fedora ignoring the original CC0. The original code would still explicitly not have a patent grant, and an extra license doesn't seem to alter that fact.
It was pointed out that this approach has already been taken by OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/...
OpenJDK though would be grandfathered in, since it existed in Fedora before CC0 was forbidden, so I'm not sure that can be relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion that adding a 2nd license header allows Fedora to ignore the original CC0 license. If it is true, then it would appear to make the whole exercise of banning CC0 effectively pointless.
Yes, I agree. If this happened upstream and we were unaware of it, that would be one thing, but this is not the case.
This 'trick' has been suggested before. Aside from the policy issue, it's actually not clear that CC0 allows this because CC0 contains a clause prohibiting sublicensing which AFAIK is in all the CC licenses (though possibly its inclusion in CC0 is a bug).
I had the impression previously that Doug Lea didn't mean to use CC0 in a serious sense and that he was just recharacterizing an earlier public domain dedication release, but I guess that might not be right. However, if earlier versions of this code were under CC-PDDC or a more informal public domain dedication, it may be that the quantum of stuff actually under CC0 is fairly minimal.
Richard
Dne 29. 08. 23 v 13:11 Daniel P. Berrangé napsal(a):
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
Just FTR, if I am not mistaken, dlmalloc license was also found problematic during work on wasi-libc [1], where after all, different implementation of malloc (emmalloc) was used. Wouldn't this be option also for sgx-sdk?
Vít
[1] https://github.com/WebAssembly/wasi-libc/issues/319
The authors of sgx-sdk have contacted the original author of dlmalloc, and he apparently suggested that since CC0 is a public domain license, they can just add a second license header of their choosing to the source files and Fedora can then ignore the orignial CC0 license.
This smells fishy to me, as I can't come with rationale for why adding a second "BSD" license header to the source file and justify Fedora ignoring the original CC0. The original code would still explicitly not have a patent grant, and an extra license doesn't seem to alter that fact.
It was pointed out that this approach has already been taken by OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/...
OpenJDK though would be grandfathered in, since it existed in Fedora before CC0 was forbidden, so I'm not sure that can be relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion that adding a 2nd license header allows Fedora to ignore the original CC0 license. If it is true, then it would appear to make the whole exercise of banning CC0 effectively pointless.
I had also suggested downgrading to an older version of dlmalloc which had the CC Public Domain license, rather than CC0, but the sgx-sdk maintainers rejected that as they're concerned it has security relevant flaws.
With regards, Daniel
On Fri, Sep 08, 2023 at 01:02:03PM +0200, Vít Ondruch wrote:
Dne 29. 08. 23 v 13:11 Daniel P. Berrangé napsal(a):
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
Just FTR, if I am not mistaken, dlmalloc license was also found problematic during work on wasi-libc [1], where after all, different implementation of malloc (emmalloc) was used. Wouldn't this be option also for sgx-sdk?
Yes, I have suggested this and other options (older version of dlmalloc) to Intel.
With regards, Daniel
On Tue, Aug 29, 2023 at 12:11:38PM +0100, Daniel P. Berrangé wrote:
One of the last stumbling blocks is that it includes a copy of the "dlmalloc" code under the CC0 license, which is now a forbidden code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of dlmalloc, and he apparently suggested that since CC0 is a public domain license, they can just add a second license header of their choosing to the source files and Fedora can then ignore the orignial CC0 license.
To close the loop on this, after a little more email discussion with Doug Lee, he graciously agreed to replace the CC0 license with MIT-0 as seen here, so there should no longer be any license problem for projects bundling dlmalloc in Fedora:
https://gee.cs.oswego.edu/pub/misc/malloc.c
[quote] * Version 2.8.6 Wed Aug 29 06:57:58 2012 Doug Lea Re-licensed 25 Sep 2023 with MIT-0 replacing obsolete CC0 See https://opensource.org/license/mit-0/ [/quote]
With regards, Daniel
On Thu, Nov 2, 2023 at 12:29 PM Daniel P. Berrangé berrange@redhat.com wrote:
To close the loop on this, after a little more email discussion with Doug Lee, he graciously agreed to replace the CC0 license with MIT-0 as seen here, so there should no longer be any license problem for projects bundling dlmalloc in Fedora:
https://gee.cs.oswego.edu/pub/misc/malloc.c
[quote]
- Version 2.8.6 Wed Aug 29 06:57:58 2012 Doug Lea Re-licensed 25 Sep 2023 with MIT-0 replacing obsolete CC0 See https://opensource.org/license/mit-0/
[/quote]
Great! Thanks for pursuing this.
Richard
-
Daniel P. Berrangé -
Richard Fontana -
Vít Ondruch