[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question re correctness of module license check

From: George Barrett
Subject: Re: Question re correctness of module license check
Date: Sat, 04 Feb 2023 05:56:15 +1100

On Fri, Feb 03, 2023 at 13:17:01 -0500, Robbie Harwood wrote:
> We're not aware of anyone trying to use external modules, and as
> discussed previously on the list that's fraught anyhow, but suppose they
> were.  Even if the license on their module were maximally incompatible
> with grub's, all that does is render them non-redistributable.

I was thinking something like this myself, but I accepted the premise of
the doc comment for the purposes of discussion since I'm not confident
in my vague understanding of those matters.

> But even then, suppose there were.  As your post points out, the process
> of deciding what's "compatible" is much more complicated than strcmp.
> We would need a list of acceptable licenses, which we keep updated
> somehow - and if we're being intellectually honest, the capability to
> parse and understand full SPDX expressions (or similar).  I doubt any of
> us seriously want that in the bootloader.

I'd be fine with having the check dropped, but I was actually thinking
of a more conservative approach: instead of checking for a specific
license, check for a declaration of license compatibility.  Something
like a flag (signalled with, say, GRUB_MOD_LICENSE_GPLv3_COMPATIBLE)
that was checked for instead.  This would shift the policy mechanism
mostly out of the code to the humans instead.

(Of course, there'd be a lot of code churn updating all the module
sources to use the new macro instead of the current GRUB_MOD_LICENSE.
It might be simpler to check for a license string like "GPLv3
compatible"; it seems like this is how the "GPLv3" string is used in
practice anyway.[1][2])

But, as you say, the benefit of the check seems specious at best.

> So to return to the start, if it's not generally going to do much as-is,
> then why do I care?

What motivated the question for me was looking into using something like
mbedtls for X.509 support.  In checking whether the module loader
recognised the Apache license, I saw not only that it didn't but that
the comment seemed to explicitly forbid the use of differently-licensed
modules due to some unspecified policy.

I figure it'd be nice if I were the last to embark on that particular
wild goose chase :)

> Unfortunately, the module license checks is pretty much the first
> thing that handles a module.  If either the module or its containing
> signed image is malformed, truncated, etc., then we can get errors in
> the license check.  They're not helpful and an end-user certainly
> can't act on them properly.

> Be well,
> --Robbie



reply via email to

[Prev in Thread] Current Thread [Next in Thread]