Re: Third party patch licensing

[Richard Laager]

On 5/25/22 12:59, Athos Ribeiro wrote:

I contacted the patch author to wonder how we could re-distribute the
patch (see the discussion in [2]). They agreed to license it with the
upstream project's license (AGPLv3), and I suggested the approach
described in [4].

Since IANAL, I decided to ask devel-discuss if there's a better approach
for licensing this patch or if this should be enough to include it as a
delta. Note that this was submitted to Debian in [5], where I did
raise this same concern.


To be honest, I think general FOSS practice is to assume the patch is 
licensed the same as the code it is changing. In the case of copyleft 
licenses like (A)GPL, that's essentially* legally required (i.e. if 
someone is distributing modified versions*, they have* to be licensed 
under the same license).


* One can quibble over whether the patch is distributing enough of the 
original code to be a derivative work. On the other hand, one can also 
quibble over whether a given patch is creative enough to even be 
copyrightable.


If you really want to be safe (which it seems you do), all you need is 
for the author to confirm it's licensed as "AGPLv3 or later" or "the 
same as the project" or something unambigous. Putting the full license 
grant is one (and the most clear) way to do that, but it's not the only 
way to do it.


--
Richard

--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Third party patch licensing

[Athos Ribeiro]

Hi,

I am facing a licensing issue with a patch to fix a (possible? [1]) CVE
in the rainloop package.

A security issue has been reported upstream [2], but there were no
replies from the upstream project yet.

The reporter followed up by describing the security issue in a blog post
[3], which also contains a patch to fix the issue.

I contacted the patch author to wonder how we could re-distribute the
patch (see the discussion in [2]). They agreed to license it with the
upstream project's license (AGPLv3), and I suggested the approach
described in [4].

Since IANAL, I decided to ask devel-discuss if there's a better approach
for licensing this patch or if this should be enough to include it as a
delta. Note that this was submitted to Debian in [5], where I did
raise this same concern.

[1] CVE-2022-29360 has not been published in MITRE's DB nor in cve.org
yet.
[2] https://github.com/RainLoop/rainloop-webmail/issues/2142
[3] https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
[4] 
https://github.com/RainLoop/rainloop-webmail/issues/2142#issuecomment-1137592507
[5] https://salsa.debian.org/js-team/rainloop/-/merge_requests/4

--
Athos Ribeiro

--
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss