On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > > On 02. 12. 22 8:23, Sun, Yunying wrote: > > Hi, > > > > I'm packaging linux-sgx SDK for Fedora, with review request ticket: > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 > > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444> > > > > linux-sgx has some Intel signed binaries included such as > > libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt: > > > > https://github.com/intel/linux-sgx/blob/master/License.txt > > <https://github.com/intel/linux-sgx/blob/master/License.txt> > > > > According to > > https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware > > <https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware>, it has: > > > > /The License tag for any firmware that disallows modification must be set to: > > "Redistributable, no modification permitted"/ > > > > So I added "Redistributable, no modification permitted" to the “License:” in > > spec file: > > > > https://yunyings.fedorapeople.org/sgxsdk.spec > > <https://yunyings.fedorapeople.org/sgxsdk.spec> > > > > In recent review comment, Miro suggested that this "Redistributable, no > > modification permitted" is not appropriate for license name. > > > > But going through all licenses on > > https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ > > <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>, I can’t find > > the right license for these Intel signed binaries. > > > > Could you point me to the right license, or if none exists for this case, guide > > me how to proceed? Thank you. > > I think that each such license now needs to be reviewed separately. See > https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_firmware_package,_what_do_I_use_for_the_SPDX_expression? Yes, but this is not actually new. In theory all firmware licenses needed to be reviewed under the Callaway system for conformance to Fedora licensing standards (for firmware), i.e. at least since ~2010 or so there was not a policy that "all firmware licenses are inherently okay" and I seem to remember at least one case where a firmware package was excluded from Fedora for licensing reasons. What's new now is that the License: field for the RPM can't simply say "Redistributable, no modification permitted" if only because that is not an SPDX-conformant expression. This is I think the first firmware license issue we've dealt with since the initiation of the New Era. > Legal folks, note that this is not a firmware per se, but FESCo approved to > treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153 > > """ > FESCo permits the use of pre-signed Intel SGX components under the firmware > clause of the Licensing Guidelines, provided that Fedora Legal concurs. > """ I think there may some confusion about the license in the Pagure ticket. The prebuilt Intel binaries are not under the BSD license, but under the following derivative of the 3-clause BSD license: <quote> Copyright (c) Intel Corporation. Redistribution. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are met: * Redistributions must reproduce the above copyright notice and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Intel Corporation nor the names of its suppliers may be used to endorse or promote products derived from this software without specific prior written permission. * No reverse engineering, decompilation, or disassembly of this software is permitted. Limited patent license. Intel Corporation grants a world-wide, royalty-free, non-exclusive license under patents it now or hereafter owns or controls to make, have made, use, import, offer to sell and sell ("Utilize") this software, but solely to the extent that any such patent is necessary to Utilize the software alone, or in combination with an operating system licensed under an approved Open Source license as listed by the Open Source Initiative at http://opensource.org/licenses. The patent license shall not apply to any other combinations which include this software. No hardware per se is licensed hereunder. DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </quote> What's novel here, as far as I know, is the "limited patent license". Though it would be useful to know if Fedora currently ships any firmware under an Intel (or other) license with a similar clause, something I don't know offhand -- one of the benefits of carefully recording approval of individual firmware licenses is that in the future this will be easier to look up). While the limited patent license may be okay, it doesn't fall within the current definition of acceptable firmware license conditions so we'd have to revise the corresponding documentation and it requires some deliberation. Anyway, the Intel folks should submit an issue to https://gitlab.com/fedora/legal/fedora-license-data to have this license reviewed. Richard _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
