Re: [Savannah-hackers-public] Project evaluation for librebootreborn

savannah-hackers-public

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Project evaluation for librebootreborn

From:	Asher Gordon
Subject:	Re: [Savannah-hackers-public] Project evaluation for librebootreborn
Date:	Tue, 15 Jun 2021 20:08:24 +0000

Hello Ineiev,

Sorry for the delay.

Ineiev <ineiev@gnu.org> writes:

> On Tue, Jun 08, 2021 at 07:38:27AM +0000, Asher Gordon wrote:
>>
>> It seems to me that it would be better to post my evaluation directly on
>> the tracker, but HowToBecomeASavannahHacker¹ says I should send it here
>> instead. Perhaps there is a reason for that.
>
> You may be right; perhaps there is no crucial difference.

Should I do my next evaluation here or on the tracker?

>> The source tarball linked in the project submission seems to include a
>> lot of third party sources which are automatically downloaded. It is my
>> understanding that these won't be included in the source code
>> repository, and shouldn't be evaluated under Savannah's requirements.
>
> My understanding is different. since the package distributes these
> files in its tarball, the maintainers are responsible for them.
> for instance, it isn't OK for the tarball to include proprietary
> software (and if files have no valid license notices, they are
> technically proprietary).
>
> The "Information for Maintainers of GNU Software" does introduce
> the concept of an "external library" [0], but there is no such
> distinction e.g. for the purpose of copyright and license notices [1][2].
>
> [0] https://www.gnu.org/prep/maintain/html_node/External-Libraries.html
> [1] https://www.gnu.org/prep/maintain/html_node/Copyright-Notices.html
> [2] https://www.gnu.org/prep/maintain/html_node/License-Notices.html

In that case, there are a lot more files that need license notices. For
example, seabios/scripts/test-build.sh or
grub/util/grub-module-verifierXX.c. There are also some with
non-standard license notices for the GPL. For example,
memtest86plus/spd.c contains the comment

/*
 * MemTest86+ V5 Specific code (GPL V2.0)
 * By Samuel DEMEULEMEESTER, sdemeule@memtest.org
 * http://www.canardpc.com - http://www.memtest.org
 */

No specification whether it is GPLv2.0 only or GPLv2.0 or later.

Another file with the same issue is seabios/scripts/layoutrom.py:

#!/usr/bin/env python
# Script to analyze code and arrange ld sections.
#
# Copyright (C) 2008-2014  Kevin O'Connor <kevin@koconnor.net>
#
# This file may be distributed under the terms of the GNU GPLv3 license.

There are several other such files as well.

It seems unreasonable to expect Leah to find the copyright holders for
each of these files and ask them to add valid license notices.

>> As for the license notices, there are several files that don't contain
>> them. However, most of these seem to be automatically generated (such as
>> lbmk/resources/seabios/config/libgfxinit)
>
> Ideally, generated files should also include the notices (or at least
> a comment referring to their source files).

The file I mentioned contains neither of these, and I'm not sure how
it's generated.

>> or trivial (such as
>> lbmk/projectname). Most of the *.md files in lbwww have no license
>> notices, but probably should. (Not sure if the lbwww repository is going
>> to be hosted on Savannah though.) None of the .gitignore files have
>> license notices. bucts/.gitignore is trivial, but it's probably best to
>> add a license notice to the others. (Again, not sure what repositories
>> are going to end up being hosted on Savannah.) Finally, bucts/Makefile
>> should probably have a license notice.
>
> If these repositories will contain anything absent in the tarball,
> they should be evaluated additionally, but generally, we just scan
> the contents of the distribution tarball.

The bucts repository is included in the tarball (including the
problematic bucts/Makefile), but it looks like some of the other
repositories are not included or are not fully included. For example, I
cannot find lbmk/resources/seabios/config/libgfxinit in the tarball
("find -name libgfxinit" returns no results).

>> Aside from the license notice issues, everything else looks good.
>
> Thank you, this is a good start.

Happy to help, and sorry again for the delay.

Asher

-- 
I hate quotations.
                -- Ralph Waldo Emerson

GPG fingerprint: 38F3 975C D173 4037 B397  8095 D4C9 C4FC 5460 8E68

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers-public] Project evaluation for librebootreborn, Asher Gordon, 2021/06/08
- Re: [Savannah-hackers-public] Project evaluation for librebootreborn, Ineiev, 2021/06/09
  - Re: [Savannah-hackers-public] Project evaluation for librebootreborn, Asher Gordon <=
    - Re: [Savannah-hackers-public] Project evaluation for librebootreborn, Ineiev, 2021/06/22
    - Re: [Savannah-hackers-public] Project evaluation for librebootreborn, Asher Gordon, 2021/06/23
    - Re: [Savannah-hackers-public] Project evaluation for librebootreborn, Ineiev, 2021/06/24

Prev by Date: [Savannah-hackers-public] [task #15940] Describe system name better in registration page
Next by Date: Re: [Savannah-hackers-public] Project evaluation for librebootreborn
Previous by thread: Re: [Savannah-hackers-public] Project evaluation for librebootreborn
Next by thread: Re: [Savannah-hackers-public] Project evaluation for librebootreborn
Index(es):
- Date
- Thread