CC0 license of dlmalloc in sgx-sdk package review
by Daniel P. Berrangé
Hi Legal
The 'sgx-sdk' package is currently open for review with a view to
adding to Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2085444
One of the last stumbling blocks is that it includes a copy of the
"dlmalloc" code under the CC0 license, which is now a forbidden
code license for packages being newly added to Fedora.
The authors of sgx-sdk have contacted the original author of
dlmalloc, and he apparently suggested that since CC0 is a public
domain license, they can just add a second license header of their
choosing to the source files and Fedora can then ignore the orignial
CC0 license.
This smells fishy to me, as I can't come with rationale for why
adding a second "BSD" license header to the source file and justify
Fedora ignoring the original CC0. The original code would still
explicitly not have a patent grant, and an extra license doesn't
seem to alter that fact.
It was pointed out that this approach has already been taken by
OpenJDK, where they took CC0 code and added a GPL-v2-only header:
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/ja...
OpenJDK though would be grandfathered in, since it existed in
Fedora before CC0 was forbidden, so I'm not sure that can be
relied on as a precedent.
I am not a lawyer, so I want an expert opinion on this suggestion
that adding a 2nd license header allows Fedora to ignore the
original CC0 license. If it is true, then it would appear to
make the whole exercise of banning CC0 effectively pointless.
I had also suggested downgrading to an older version of dlmalloc
which had the CC Public Domain license, rather than CC0, but the
sgx-sdk maintainers rejected that as they're concerned it has
security relevant flaws.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
6 months, 1 week
- 3
- 6