Message ID | 5c4caf742c5dbe2a02aede2b20ff80eae7bc352a.camel@telenet.be |
---|---|
State | Accepted |
Headers | show |
Series | [bug#50347,RFC] lint: Warn about kernel modules with a suspect license. | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | fail | View Laminar job |
cbaines/issue | success | View issue |
I've discussed this with dstolfa on IRC: https://logs.guix.gnu.org/guix/2021-09-02.log#234707 https://logs.guix.gnu.org/guix/2021-09-03.log Greetings, Maxime.
Hi Maxime, On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote: > This patch adds a 'suspect-license' linter detecting some suspicious > values in the license fields of linux modules: I do not know if it is worth to add a linter for really few corner cases, IMHO. > For zfs, the issue is the CDDL license. For the others, the issue > is the gpl3+ license. See the article by the SFLC for why this linter > detets ZFS: > > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>. The issue is about distributing binaries, IIUC. From my point of view, a such linter should check X-license packages using any build-system but “linked“ to incompatible X-license packages. Well, I do not know if it is worth to automate this since it appears to me really sparse corner cases. Cheers, simon
zimoun schreef op ma 06-09-2021 om 10:23 [+0200]: > Hi Maxime, > > On Thu, 02 Sep 2021 at 23:42, Maxime Devos <maximedevos@telenet.be> wrote: > > > This patch adds a 'suspect-license' linter detecting some suspicious > > values in the license fields of linux modules: > > I do not know if it is worth to add a linter for really few corner > cases, IMHO. > > > For zfs, the issue is the CDDL license. For the others, the issue > > is the gpl3+ license. See the article by the SFLC for why this linter > > detets ZFS: > > > > <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/#footnote-other-ZFS-copyright-holders>;. > > The issue is about distributing binaries, IIUC. From my point of view, > a such linter should check X-license packages using any build-system but > “linked“ to incompatible X-license packages. Well, I do not know if it > is worth to automate this since it appears to me really sparse corner > cases. It appears that the proposed linter isn't very useful. Closing. Greetings, Maxime
From 851cf20b7d5aed45c3331781afef8de3961f4bb4 Mon Sep 17 00:00:00 2001 From: Maxime Devos <maximedevos@telenet.be> Date: Thu, 2 Sep 2021 23:30:15 +0200 Subject: [PATCH] lint: Warn about kernel modules with a suspect license. * guix/lint.scm (check-suspect-license): New linter. (%local-checkers)[suspect-license]: Register it. --- guix/lint.scm | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/guix/lint.scm b/guix/lint.scm index ffd3f7007e..3a7f3be327 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -34,6 +34,7 @@ #:use-module (guix store) #:autoload (guix base16) (bytevector->base16-string) #:use-module (guix base32) + #:use-module (guix build-system) #:use-module (guix diagnostics) #:use-module (guix download) #:use-module (guix ftp-client) @@ -1347,6 +1348,31 @@ of the propagated inputs it pulls in." (make-warning package (G_ "invalid license field") #:field 'license))))) +(define (check-suspect-license package) + "Warn about suspicious license combinations in PACKAGE." + ;; Use 'build-system-name' instead of comparing the build + ;; system directly with 'linux-module-build-system' to avoid + ;; loading (guix build-system linux-module) when no Linux modules + ;; are linted. + (define linux-module? + (eq? 'linux-module + (build-system-name (package-build-system package)))) + ;; This has plenty of false negatives and should + ;; have very few false positives. + (define gpl2-only-incompatible? + ;; The Linux kernel is GPL-2-only, so GPL3 and later are out. + ;; The GPL and CDDL appear to be incompatible, see + ;; <https://sfconservancy.org/blog/2016/feb/25/zfs-and-linux/> + ;; and <https://www.fsf.org/licensing/zfs-and-linux>. + (memq (package-license package) + (list gpl3 gpl3+ cddl1.0))) + (if (and linux-module? gpl2-only-incompatible?) + (list + (make-warning package + (G_ "license appears incompatible with the Linux kernel") + #:field 'license)) + '())) + (define (current-vulnerabilities*) "Like 'current-vulnerabilities', but return the empty list upon networking or HTTP errors. This allows network-less operation and makes problems with @@ -1762,6 +1788,10 @@ them for PACKAGE." (description "Make sure the 'license' field is a <license> \ or a list thereof") (check check-license)) + (lint-checker + (name 'suspect-license) + (description "Detect some suspect combinations of licenses") + (check check-suspect-license)) (lint-checker (name 'optional-tests) (description "Make sure tests are only run when requested") -- 2.33.0