Bug#922112: fio: hash.h is not DFSG compliant

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#922112: fio: hash.h is not DFSG compliant

Domenico Andreoli-3
Package: fio
Severity: grave

According to debian/copyright, hash.h is licensed as GPL-2+ but this
is not true. There is not any mention of license attribution in its
verifiable history, not by its copyright holder or anybody else on
their behalf.

Thanks to Ulrich Mueller for the relevant research [0].

Similar bug is reported to package dwarves [1], which includes on older
copy of this same file.

Regards,
Domenico

[0] https://lkml.org/lkml/2019/2/11/773
[1] https://bugs.debian.org/919356

--
3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#922112: marked as done (fio: hash.h is not DFSG compliant)

Debian Bug Tracking System
Your message dated Tue, 12 Feb 2019 10:39:08 +0000
with message-id <1637429.ihVJye5Aa2@merkaba>
and subject line Re: Bug#922112: fio: hash.h is not DFSG compliant
has caused the Debian Bug report #922112,
regarding fio: hash.h is not DFSG compliant
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
922112: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922112
Debian Bug Tracking System
Contact [hidden email] with problems

Package: fio
Severity: grave

According to debian/copyright, hash.h is licensed as GPL-2+ but this
is not true. There is not any mention of license attribution in its
verifiable history, not by its copyright holder or anybody else on
their behalf.

Thanks to Ulrich Mueller for the relevant research [0].

Similar bug is reported to package dwarves [1], which includes on older
copy of this same file.

Regards,
Domenico

[0] https://lkml.org/lkml/2019/2/11/773
[1] https://bugs.debian.org/919356

--
3B10 0CA1 8674 ACBA B4FE  FCD2 CE5B CF17 9960 DE13

Closing bug report for now as Jens, upstream maintainer of fio, claims that the
file is GPL2. Feel free to reopen in case you have evidence that it is not
*after* or *with* but not *before* you provided that evidence.

Jens, I cc'd you cause this bug report has the potential to remove fio package
from Debian, so… in case you could elaborate a bit more on the source of
hash.c so that those who doubt it is GPL-2 can see that it is, it would be
helpful.


Dear Domenico.

It would have been nice to at least give one or two days to clear up the issue
before filing a bug report of grave severity. It is not that the file in fio has
been there for *years* without anyone complaining or that Debian Buster would
have been released today without the bug report in place.

I am currently holding a training, thus there may be delays in replying.

Domenico Andreoli - 12.02.19, 09:26:
> Package: fio
> Severity: grave
>
> According to debian/copyright, hash.h is licensed as GPL-2+ but this
> is not true. There is not any mention of license attribution in its
> verifiable history, not by its copyright holder or anybody else on
> their behalf.

I attach a mail from Jens Axboe, upstream maintainer of fio, where he claims
that like any other files that have no special license information this file
also is GPL-2.

I do have the original mail complete with headers available. I also cc'd Jens.

As I did not see any evidence that contradicts what Jens claims here I have no
reason not to believe him. Of course feel free to provide such evidence and
raise the severity of the bug again in case you do so.

Mit freundlichen Grüßen / With kind regards
Martin Steigerwald • 
Proact Deutschland GmbH
Trainer
Telefon: <a href="tel:+49%20911%2030999%200" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#7D7D7D;">+49 911 30999 0 • 
Fax: <a href="tel:" target="_blank" id="LPlnk689713" style="text-decoration:none;color:#7D7D7D;">+49 911 30999 99
Südwestpark 43 • 
90449 Nürnberg • 
Germany
[hidden email] • 
www.proact.de
 
Amtsgericht Nürnberg
 • 
HRB 18320
Geschäftsführer: 
Oliver Kügow • 
Richard Müller • 
Jakob Høholdt
 • 
Peter Mikael Javestad
 
– Delivering Business Agility –
 
---------- Forwarded Message ----------

Betreff: Re: Licensing of include/linux/hash.h
Datum: Montag, 11. Februar 2019, 23:55:22 CET
Von: Jens Axboe <[hidden email]>
An: Martin Steigerwald <[hidden email]>, Domenico Andreoli
<[hidden email]>
Kopie: Kristian Fiskerstrand <[hidden email]>, Ben Finney
<[hidden email]>, Nadia Yvette Chambers <[hidden email]>, Arnaldo
Carvalho de Melo <[hidden email]>, [hidden email]
<[hidden email]>, [hidden email] <debian-
[hidden email]>, [hidden email] <linux-
[hidden email]>, Jens Axboe <[hidden email]>

On 2/11/19 3:50 AM, Martin Steigerwald wrote:

> Adding in [hidden email], as I am not sure whether the oracle.com address
> from Jens is actually valid / up to date.
>
> Domenico Andreoli - 11.02.19, 08:22:
>> On Mon, Feb 11, 2019 at 12:08:32AM +0100, Kristian Fiskerstrand wrote:
>> >
> Mit freundlichen Grüßen / With kind regards​
>
> Martin Steigerwald •
> Proact Deutschland GmbH
[… mail signature …]

> On 1/23/19 9:50 AM, Domenico Andreoli wrote:
>> > > Ben Finney <[hidden email]> writes:
>> > >> Domenico Andreoli <[hidden email]> writes:
>> [...]
>>
>> > >>> the only knot left is now the license of hash.h
>> > >>>
>> > >>> This file is also present in the kernel [0] with an updated copyright
>> > >>> but still without license.
>>
>> [...]
>>
>> > >> To know that work (that file) is free software, we need a clear grant
>> > >> of
>> > >> some specific license, for that work.
>> > >>
>> > >> If the work is not free, it would be incorrect to have the work in
>> > >> Debian.
>> > >
>> > > Is it possible that for the kernel it is instead correct because it is,
>> > > as whole, covered by its COPYING?
>> > >
>> > >> Alternatives, for complying with the Debian Free Software Guidelines
>> > >> with
>> > >> this package, include:
>> > >>
>> > >> * Find a credible grant of license under some GPL-compatible free
>> > >>
>> > >> license to that exact file. Document that explicit grant in the
>> > >> Debian
>> > >> package. This demonstrates the work is DFSG-free.
>> > >>
>> > >> * Convince ???dwarves-dfsg??? upstream to replace that file with a
>> > >> different> >>
>> > >> implementation (I don't know whether such an implementation exists)
>> > >> under a license compatible with the same version of GNU GPL. Document
>> > >> that explicit grant in the Debian package. This demonstrates the
>> > >> modified work is DFSG-free.
>> > >>
>> > >> * Replace that file in Debian only, with a different implementation as
>> > >>
>> > >> above. Document that explicit grant in the Debian package. This
>> > >> demonstrates the modified Debian package is DFSG-free.
>> > >>
>> > >> * Move the work to the ???non-free??? area.
>> > >>
>> > >> * Remove the work altogether.
>> > >>
>> > >> Those are in descending order of (my recommended) preference.
>>
>> [...]
>>
>> > It was [pointed out] by one of our license group that [hash.h] is the
>> > same that has a GPL-2+ in [fio] which has a signed-off-by.
>> >
>> > References:
>> > [pointed out]
>> > https://bugs.gentoo.org/677586#c1
>> >
>> > [hash.h]
>> > https://git.kernel.org/pub/scm/linux/kernel/git/axboe/fio.git/commit/hash.
>> > h?id=bdc7211e190482f0c17c109a0d90834a6611be1c
>> Yes, the Signed-off-by is from Jens Axboe (in CC) but he's not the
>> original author, I guess he just copied the file as Arnaldo did. The
>> file he committed has not any reference to the license.
>>
>> > [fio]
>> > https://metadata.ftp-master.debian.org/changelogs/main/f/fio/fio_3.12-2_co
>> > pyright
>> I'm afraid that this entry in wrong. I'll seek confirmation with Martin
>> Steigerwald.
>
> Which entry to you refer to? I assume the one about hash.h.
>
> Well the file has in its header:
>
> /* Fast hashing routine for a long.
> (C) 2002 William Lee Irwin III, IBM */
>
> /*
> * Knuth recommends primes in approximately golden ratio to the maximum
> * integer representable by a machine word for multiplicative hashing.
> * Chuck Lever verified the effectiveness of this technique:
> * http://www.citi.umich.edu/techreports/reports/citi-tr-00-1.pdf
> *
> * These primes are chosen to be bit-sparse, that is operations on
> * them can use shifts and additions instead of multiplications for
> * machines where multiplications are slow.
> */
>
> It has been quite a while ago. I bet back then I did not regard this as
> license information since it does not specify a license. Thus I assumed it
> to
> be GPL-2 as the other files which have no license boiler plate. I.e.: Check
> file
> is it has different license, if not, then assume it has license as specified
> in
> COPYING.
>
> Not specifying a license can however also mean in this context that it has
> no
> license as the file contains copyright information from another author.
>
> Of course I can update copyright file in case my conclusion from a long time
> ago was wrong.
>
> Jens?

Right, if nothing else is noted, it's GPL v2.

--
Jens Axboe

-------------------------------------------------------------

> Thanks to Ulrich Mueller for the relevant research [0].
>
> Similar bug is reported to package dwarves [1], which includes on older
> copy of this same file.
>
> Regards,
> Domenico
>
> [0] https://lkml.org/lkml/2019/2/11/773

I do not see how this proves that hash.c is not GPL-2.

> [1] https://bugs.debian.org/919356

Ciao,
--
Martin



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#922112: Add the SPDX header to include/linux/hash.h

Domenico Andreoli
In reply to this post by Domenico Andreoli-3
From: Domenico Andreoli <[hidden email]>

It is unlikely that who contributes to this file is unaware of the kernel
licensing but bringing the license statement into the file itself makes
it properly reusable in different contexts.

CC: Daniel Borkmann <[hidden email]>
CC: Francesco Fusco <[hidden email]>
CC: George Spelvin <[hidden email]>
CC: Hannes Frederic Sowa <[hidden email]>
CC: Ian Campbell <[hidden email]>
CC: Jay Vosburgh <[hidden email]>
CC: Jens Axboe <[hidden email]>
CC: Linus Torvalds <[hidden email]>
CC: Masami Hiramatsu <[hidden email]>
CC: Matthew Wilcox <[hidden email]>
CC: Nadia Yvette Chambers <[hidden email]>
CC: Pavel Emelyanov <[hidden email]>
Signed-off-by: Domenico Andreoli <[hidden email]>

---
 include/linux/hash.h |    2 ++
 1 file changed, 2 insertions(+)

Index: b/include/linux/hash.h
===================================================================
--- a/include/linux/hash.h
+++ b/include/linux/hash.h
@@ -1,3 +1,5 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
 #ifndef _LINUX_HASH_H
 #define _LINUX_HASH_H
 /* Fast hashing routine for ints,  longs and pointers.

Reply | Threaded
Open this post in threaded view
|

Bug#922112: fio: hash.h is not DFSG compliant

Martin Steigerwald
In reply to this post by Domenico Andreoli-3
I am going to bounce two mails from Jens to this bug report, to further
clarify that hash.c is GPL-2.

1) Re: Bug#919356: Licensing of include/linux/hash.h

2) [PATCH] Add the SPDX header to include/linux/hash.h

I may clarify this in copyright file, in case it would be required, but
for now I think that will suffice.

Thanks,
--
Martin

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#922112: fio: hash.h is not DFSG compliant

Martin Steigerwald
Martin Steigerwald - 12.02.19, 21:08:
> I am going to bounce two mails from Jens to this bug report, to
> further clarify that hash.c is GPL-2.
>
> 1) Re: Bug#919356: Licensing of include/linux/hash.h
>
> 2) [PATCH] Add the SPDX header to include/linux/hash.h

This second mail is from Domenico Andreoli. Sorry for attributing it to
Jens.
--
Martin

Reply | Threaded
Open this post in threaded view
|

Bug#922112: Fwd: Re: Bug#919356: Licensing of include/linux/hash.h

Martin Steigerwald
In reply to this post by Domenico Andreoli-3
If bouncing does not work, this will do.
--
Martin
On 2/11/19 11:27 PM, Ben Finney wrote:

> Martin Steigerwald <[hidden email]> writes:
>
>> Well the file has in its header:
>>
>> /* Fast hashing routine for a long.
>>    (C) 2002 William Lee Irwin III, IBM */
>>
>> /*
>>  * Knuth recommends primes in approximately golden ratio to the maximum
>>  * integer representable by a machine word for multiplicative hashing.
>>  * Chuck Lever verified the effectiveness of this technique:
>>  * http://www.citi.umich.edu/techreports/reports/citi-tr-00-1.pdf
>>  *
>>  * These primes are chosen to be bit-sparse, that is operations on
>>  * them can use shifts and additions instead of multiplications for
>>  * machines where multiplications are slow.
>>  */
>>
>> It has been quite a while ago. I bet back then I did not regard this
>> as license information since it does not specify a license. Thus I
>> assumed it to be GPL-2 as the other files which have no license boiler
>> plate. I.e.: Check file is it has different license, if not, then
>> assume it has license as specified in COPYING.
>>
>> Not specifying a license can however also mean in this context that it
>> has no license as the file contains copyright information from another
>> author.
>
> If a work (even one file) “has no license”, that means no special
> permissions are granted and normal copyright applies: All rights
> reserved, i.e. not redistributable. So, no license is grounds to
> consider a work non-free and non-redistributable.
>
> If, on the other hand, the file is to be free software, there would need
> to be a clear grant of some free software license to that work.
>
> Given the confusion over this file, I would consider it a significant
> risk to just assume we have GPLv2 permissions without being told that
> explicitly by the copyright holder. Rather, the reason we are seeking a
> clearly-granted free license for this one file, is because we are trying
> to replace a probably non-free file with the same code in it.
>
> It seems we need to keep looking, and in the meantime assume we have no
> free license in this file.
FWIW, fio.c includes the following mention:

 * The license below covers all files distributed with fio unless otherwise
 * noted in the file itself.

followed by the GPL v2 license. I'll go through and add SPDX headers to
everything to avoid wasting anymore time on this nonsense.
 
--
Jens Axboe