Re: What license should be used for package that contains "Redistributable, no modification permitted" binaries?
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok mhroncok@redhat.com wrote:
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era.
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license:
<quote> Copyright (c) Intel Corporation.
Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met:
* Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission. * No reverse engineering, decompilation, or disassembly of this software is permitted.
Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder.
DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </quote>
What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed.
Richard
I've created a new FESCo ticket because of the concern that FESCo may have been assuming the Intel license was a FOSS license: https://pagure.io/fesco/issue/2910 (I didn't see a way to reopen the old ticket).
Richard
On Fri, Dec 2, 2022 at 10:08 AM Richard Fontana rfontana@redhat.com wrote:
On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok mhroncok@redhat.com wrote:
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era.
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license:
<quote> Copyright (c) Intel Corporation.
Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met:
- Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.
- No reverse engineering, decompilation, or disassembly of this software is permitted.
Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder.
DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</quote>
What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed.
Richard
@Yunying and @Xiangquan, one of the issues here is that Fedora is not (in any meaningful sense) "an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses". Could you possibly relay that to your legal contact at Intel, as I can't imagine why Intel would insist on including that limitation? Or if you prefer, put them in touch with me?
Richard
On Fri, Dec 2, 2022 at 10:33 AM Richard Fontana rfontana@redhat.com wrote:
I've created a new FESCo ticket because of the concern that FESCo may have been assuming the Intel license was a FOSS license: https://pagure.io/fesco/issue/2910 (I didn't see a way to reopen the old ticket).
Richard
On Fri, Dec 2, 2022 at 10:08 AM Richard Fontana rfontana@redhat.com wrote:
On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok mhroncok@redhat.com wrote:
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era.
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license:
<quote> Copyright (c) Intel Corporation.
Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met:
- Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.
- No reverse engineering, decompilation, or disassembly of this software is permitted.
Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder.
DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</quote>
What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed.
Richard
Some further information:
It seems in 2009 the same Intel license was rejected by Fedora as "bad" in the strongest terms: https://fedoraproject.org/wiki/Licensing/Intel_IPW3945_Daemon_License And this IPW3945 license is listed in the old wiki license list as "NOT OKAY for Fedora. Nothing in Fedora is permitted to use these licenses." Oddly though this wasn't migrated to fedora-license-data. I see a number of the old "bad" licenses weren't imported into fedora-license-data.
That 2009 date probably precedes (though it couldn't have been by much) the formulation of the explicit license criteria for allowed firmware licenses (which I don't think this Intel license would satisfy because of its novel feature).
Meanwhile, as I had a feeling we'd discover, this same license shows up in present-day Fedora in linux-firmware. And we see it at least covering the firmware package iwl3945-firmware. https://src.fedoraproject.org/rpms/iwl3945-firmware
I am curious why Intel would have decided to use this particular license for the prebuilt binaries in the SGX package, given that I seem to have seen a number of different BSD-derivative licenses that Intel has used in comparable situations. Just wondering if it was essentially an arbitrary choice.
Richard
On Fri, Dec 2, 2022 at 10:44 AM Richard Fontana rfontana@redhat.com wrote:
@Yunying and @Xiangquan, one of the issues here is that Fedora is not (in any meaningful sense) "an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses". Could you possibly relay that to your legal contact at Intel, as I can't imagine why Intel would insist on including that limitation? Or if you prefer, put them in touch with me?
Richard
On Fri, Dec 2, 2022 at 10:33 AM Richard Fontana rfontana@redhat.com wrote:
I've created a new FESCo ticket because of the concern that FESCo may have been assuming the Intel license was a FOSS license: https://pagure.io/fesco/issue/2910 (I didn't see a way to reopen the old ticket).
Richard
On Fri, Dec 2, 2022 at 10:08 AM Richard Fontana rfontana@redhat.com wrote:
On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok mhroncok@redhat.com wrote:
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era.
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license:
<quote> Copyright (c) Intel Corporation.
Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met:
- Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.
- No reverse engineering, decompilation, or disassembly of this software is permitted.
Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder.
DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</quote>
What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed.
Richard
--
Hi Richard,
Thank you for looking into this.
We have discussed this internally with Intel legal folks, and as you pointed out earlier, those Intel signed binaries are actually built from "3-clause BSD" source code: https://github.com/intel/linux-sgx/tree/master/psw/ae https://github.com/intel/linux-sgx/tree/master/psw/ae/data/prebuilt
Given this, probably in spec file License field we should use "BSD,NetCDF" instead of "Redistributable, no modification permitted" for the Intel signed binaries?
BTW, it seems the license content for Intel signed binaries is stale. Intel SGX team is working on updating it.
-Yunying
On Fri, Dec 02, 2022 at 10:08:44AM -0500, Richard Fontana wrote:
On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok mhroncok@redhat.com wrote:
On 02. 12. 22 8:23, Sun, Yunying wrote:
Hi,
I'm packaging linux-sgx SDK for Fedora, with review request ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444
linux-sgx has some Intel signed binaries included such as libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt:
https://github.com/intel/linux-sgx/blob/master/License.txt https://github.com/intel/linux-sgx/blob/master/License.txt
According to https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware, it has:
/The License tag for any firmware that disallows modification must be set to: "Redistributable, no modification permitted"/
So I added "Redistributable, no modification permitted" to the “License:” in spec file:
https://yunyings.fedorapeople.org/sgxsdk.spec https://yunyings.fedorapeople.org/sgxsdk.spec
In recent review comment, Miro suggested that this "Redistributable, no modification permitted" is not appropriate for license name.
But going through all licenses on https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ https://docs.fedoraproject.org/en-US/legal/allowed-licenses/, I can’t find the right license for these Intel signed binaries.
Could you point me to the right license, or if none exists for this case, guide me how to proceed? Thank you.
I think that each such license now needs to be reviewed separately. See https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_fi...
Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era.
For the syntax issue... we have only briefly discussed this from what I recall. We will need to arrive at a decision on how to capture these licenses as SPDC-compatible IDs but that Fedora carries downstream in fedora-license-data.
Legal folks, note that this is not a firmware per se, but FESCo approved to treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153
""" FESCo permits the use of pre-signed Intel SGX components under the firmware clause of the Licensing Guidelines, provided that Fedora Legal concurs. """
I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license:
<quote> Copyright (c) Intel Corporation.
Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met:
- Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission.
- No reverse engineering, decompilation, or disassembly of this software is permitted.
Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder.
DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</quote>
What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed.
Richard _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-
David Cantrell -
Miro Hrončok -
Richard Fontana -
yunying.sun@intel.com