On 10/31/23 17:07, Michael Kubacki wrote: > On 10/28/2023 7:51 AM, Laszlo Ersek wrote: >> On 10/27/23 23:11, Michael Kubacki wrote: >>> I'd like to bring attention to Apache License 2.0 code in the CodeQL >>> series I sent to the mailing list for steward review. >>> >>> In particular, the files in the BaseTools/Plugin/CodeQL/analyze >>> directory of this patch: >>> >>> https://edk2.groups.io/g/devel/message/109696 >>> >>> Please let me know if any next steps are needed. >> >> (1) I don't know if edk2 accepts contributions under Apache License 2.0; >> just want to point out that this license is acceptable in Fedora (and so >> RHEL too), per >> <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>. Assuming >> we're talking about "Apache Software License 2.0". >> > A few submodules are using the Apache License 2.0. > > For example, OpenSSL v3: > > - https://www.openssl.org/source/license.html > - https://git.openssl.org/?p=openssl.git;a=blob_plain;f=LICENSE.txt;hb=HEAD > > And cmoocka: > > - https://gitlab.com/cmocka/cmocka/-/blob/master/COPYING
Thanks for identifying those! > > I'm unaware if there was precedent specific to submodules, but I'd > expect terms like redistribution clauses to already apply regardless of > tooling used to acquire the source code into the project. I believe the same. > >> (2) Should we extend "License Details" and "Code Contributions" in >> "ReadMe.rst"? >> > My initial thought was to add the path (BaseTools\Plugin\CodeQL\analyze) > to "License Details". > > Was that all that you had in mind or to elaborate further in that > section on the licenses used/allowed? - Under "License Details", simply list BaseTools/Plugin/CodeQL/analyze as one of the "components" (i.e., first list) that use a "additional licenses". - Under "Code Contributions", we should list "Apache Software License 2.0" as acceptable -- both for this new feature, and for the *already* upstream stuff that you found above. > >> (3) Should the new files (under Apache License 2.0) use an SPDX >> identifier tag, for easy greppability? >> > I'd be happy to add that. That's a relief, I didn't know whether you could touch up the license blocks! Thanks! Laszlo > >> (4) With the addition, downstream packages (such as RPMs in Fedora and >> RHEL) might want to spell out the short SPDX identifier of the new >> license too in their License: tags. >> >> Laszlo >> >> >> >> >> > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110437): https://edk2.groups.io/g/devel/message/110437 Mute This Topic: https://groups.io/mt/102230244/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-