On 11/3/2023 9:06 AM, Laszlo Ersek wrote:
On 11/2/23 21:03, Michael Kubacki wrote:
From: Michael Kubacki <michael.kuba...@microsoft.com>
The code in this directory is licensed under Apache License, Version
2.0. Therefore, the directory is listed under paths with licenses
other than BSD-2-Clause Plus Patent. The directory link points to the
complete Apache License, Version 2.0 on apache.org.
Cc: Andrew Fish <af...@apple.com>
Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Leif Lindholm <quic_llind...@quicinc.com>
Cc: Michael D Kinney <michael.d.kin...@intel.com>
Signed-off-by: Michael Kubacki <michael.kuba...@microsoft.com>
---
ReadMe.rst | 1 +
1 file changed, 1 insertion(+)
diff --git a/ReadMe.rst b/ReadMe.rst
index 06fb122ef382..808ccd37af50 100644
--- a/ReadMe.rst
+++ b/ReadMe.rst
@@ -73,6 +73,7 @@ The majority of the content in the EDK II open source project
uses a
source project contains the following components that are covered by
additional
licenses:
+- `BaseTools/Plugin/CodeQL/analyze <https://www.apache.org/licenses/LICENSE-2.0>`__
- `BaseTools/Source/C/LzmaCompress
<BaseTools/Source/C/LzmaCompress/LZMA-SDK-README.txt>`__
- `BaseTools/Source/C/VfrCompile/Pccts
<BaseTools/Source/C/VfrCompile/Pccts/RIGHTS>`__
- `CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c
<CryptoPkg\Library\BaseCryptLib\SysCall\inet_pton.c>`__
I've carefully read through the cover letter now (impressive work!). I
have some questions, with reference to Leif's comment at
<https://edk2.groups.io/g/devel/message/110475> as well:
- Is the BaseTools/Plugin/CodeQL/analyze subdirectory not supposed to
contain a standalone "COPYING" or similar file?
If not, then the current patch seems fine:
Reviewed-by: Laszlo Ersek <ler...@redhat.com>
I wasn't aware of anything further needed for the Apache License 2.0.
I'm familiar with COPYING in the context of GNU licensing
(https://www.gnu.org/licenses/gpl-howto.html). I don't see it applying
directly to the Apache licensing process as I understand it.
- I'd like to understand where the BaseTools/Plugin/CodeQL/analyze/
contents (three files) originate from. If it was authored by Microsoft,
then I don't understand (per v4 series changelog in the cover letter)
why the Microsoft copyright notice had to be removed. And if it is not
original work by Microsoft, but work derived by Microsoft from other
original work, then it should contain both the original copyright
notices, and Microsofts.
Because these are only a couple files, I tried to follow the guidance in
"To apply the Apache License to specific files in your work..." in "How
To Apply the Apache License to Your Work" in
https://www.apache.org/licenses/LICENSE-2.0.
For those files I:
1. Made the upper text clearly state Apache License Version 2.0 with a
link to apache.org/licenses.
2. Included the boilerplate text as given in the above link for
"licensing specific files in your work".
3. Preserved any existing copyrights.
- globber.py had a pre-existing copyright preserved
- analyze_filter.py did not have one in the source Python file or
its LICENSE file
4. Appended text stating the source of the files and a brief summary of
the changes in this copy relative to the original.
The file-top comments in those three files reference
https://github.com/advanced-security/filter-sarif
as the origin. Do the original files in that repository contain
copyright notices? (Or does their containing project come with a COPYING
or similar file?) I'm not looking for a license specification (SPDX or
natural language), but specifically for copyright notices on the
original work.
All copyright notices from original files are preserved.
https://github.com/advanced-security itself actually includes a local
copy of globber.py
https://github.com/advanced-security/filter-sarif/blob/main/globber.py.
I dropped the Microsoft copyright in those specific files because my
contributions the those files were not significant. If there are other
factors to consider, please let me know and I will reconsider.
Does the <https://github.com/advanced-security> organization perhaps use
an over-arching copyright notice somewhere?
I couldn't find anything.
If none of those apply, then I agree that the content added in patch#2
("BaseTools/Plugin/CodeQL: Add CodeQL build plugin") appears fine. Very
unusual to me, but IANAL...
Thanks,
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110627): https://edk2.groups.io/g/devel/message/110627
Mute This Topic: https://groups.io/mt/102350800/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
