On 11/2/23 21:03, Michael Kubacki wrote: > From: Michael Kubacki <michael.kuba...@microsoft.com> > > The code in this directory is licensed under Apache License, Version > 2.0. Therefore, the directory is listed under paths with licenses > other than BSD-2-Clause Plus Patent. The directory link points to the > complete Apache License, Version 2.0 on apache.org. > > Cc: Andrew Fish <af...@apple.com> > Cc: Laszlo Ersek <ler...@redhat.com> > Cc: Leif Lindholm <quic_llind...@quicinc.com> > Cc: Michael D Kinney <michael.d.kin...@intel.com> > Signed-off-by: Michael Kubacki <michael.kuba...@microsoft.com> > --- > ReadMe.rst | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/ReadMe.rst b/ReadMe.rst > index 06fb122ef382..808ccd37af50 100644 > --- a/ReadMe.rst > +++ b/ReadMe.rst > @@ -73,6 +73,7 @@ The majority of the content in the EDK II open source > project uses a > source project contains the following components that are covered by > additional > licenses: > > +- `BaseTools/Plugin/CodeQL/analyze > <https://www.apache.org/licenses/LICENSE-2.0>`__ > - `BaseTools/Source/C/LzmaCompress > <BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>`__ > - `BaseTools/Source/C/VfrCompile/Pccts > <BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>`__ > - `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c > <CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c>`__
I've carefully read through the cover letter now (impressive work!). I have some questions, with reference to Leif's comment at <https://edk2.groups.io/g/devel/message/110475> as well: - Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to contain a standalone "COPYING" or similar file? If not, then the current patch seems fine: Reviewed-by: Laszlo Ersek <ler...@redhat.com> - I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/ contents (three files) originate from. If it was authored by Microsoft, then I don't understand (per v4 series changelog in the cover letter) why the Microsoft copyright notice had to be removed. And if it is not original work by Microsoft, but work derived by Microsoft from other original work, then it should contain both the original copyright notices, and Microsofts. The file-top comments in those three files reference https://github.com/advanced-security/filter-sarif as the origin. Do the original files in that repository contain copyright notices? (Or does their containing project come with a COPYING or similar file?) I'm not looking for a license specification (SPDX or natural language), but specifically for copyright notices on the original work. Does the <https://github.com/advanced-security> organization perhaps use an over-arching copyright notice somewhere? If none of those apply, then I agree that the content added in patch#2 ("BaseTools/Plugin/CodeQL: Add CodeQL build plugin") appears fine. Very unusual to me, but IANAL... Thanks, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110620): https://edk2.groups.io/g/devel/message/110620 Mute This Topic: https://groups.io/mt/102350800/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
