On Fri, Dec 02, 2022 at 10:08:44AM -0500, Richard Fontana wrote: > On Fri, Dec 2, 2022 at 5:45 AM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > > > > On 02. 12. 22 8:23, Sun, Yunying wrote: > > > Hi, > > > > > > I'm packaging linux-sgx SDK for Fedora, with review request ticket: > > > > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444 > > > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085444> > > > > > > linux-sgx has some Intel signed binaries included such as > > > libsgx_{qve,tdqe,id_enclave,pce,qe3,le,qe,pve}.signed.so, as stated in License.txt: > > > > > > https://github.com/intel/linux-sgx/blob/master/License.txt > > > <https://github.com/intel/linux-sgx/blob/master/License.txt> > > > > > > According to > > > https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware > > > <https://fedoraproject.org/wiki/Licensing:SoftwareTypes#Binary_Firmware>, it has: > > > > > > /The License tag for any firmware that disallows modification must be set to: > > > "Redistributable, no modification permitted"/ > > > > > > So I added "Redistributable, no modification permitted" to the “License:” in > > > spec file: > > > > > > https://yunyings.fedorapeople.org/sgxsdk.spec > > > <https://yunyings.fedorapeople.org/sgxsdk.spec> > > > > > > In recent review comment, Miro suggested that this "Redistributable, no > > > modification permitted" is not appropriate for license name. > > > > > > But going through all licenses on > > > https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ > > > <https://docs.fedoraproject.org/en-US/legal/allowed-licenses/>, I can’t find > > > the right license for these Intel signed binaries. > > > > > > Could you point me to the right license, or if none exists for this case, guide > > > me how to proceed? Thank you. > > > > I think that each such license now needs to be reviewed separately. See > > https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1#I_maintain_a_firmware_package,_what_do_I_use_for_the_SPDX_expression? > > Yes, but this is not actually new. In theory all firmware licenses > needed to be reviewed under the Callaway system for conformance to > Fedora licensing standards (for firmware), i.e. at least since ~2010 > or so there was not a policy that "all firmware licenses are > inherently okay" and I seem to remember at least one case where a > firmware package was excluded from Fedora for licensing reasons. > What's new now is that the License: field for the RPM can't simply say > "Redistributable, no modification permitted" if only because that is > not an SPDX-conformant expression. This is I think the first firmware > license issue we've dealt with since the initiation of the New Era. For the syntax issue... we have only briefly discussed this from what I recall. We will need to arrive at a decision on how to capture these licenses as SPDC-compatible IDs but that Fedora carries downstream in fedora-license-data. > > Legal folks, note that this is not a firmware per se, but FESCo approved to > > treat it as such, pending legal review, in https://pagure.io/fesco/issue/2153 > > > > """ > > FESCo permits the use of pre-signed Intel SGX components under the firmware > > clause of the Licensing Guidelines, provided that Fedora Legal concurs. > > """ > > I think there may some confusion about the license in the Pagure > ticket. The prebuilt Intel binaries are not under the BSD license, but > under the following derivative of the 3-clause BSD license: > > <quote> > Copyright (c) Intel Corporation. > > Redistribution. Redistribution and use in binary form, without > modification, are permitted provided that the following conditions are > met: > > * Redistributions must reproduce the above copyright notice and the > following disclaimer in the documentation and/or other materials > provided with the distribution. > * Neither the name of Intel Corporation nor the names of its suppliers > may be used to endorse or promote products derived from this software > without specific prior written permission. > * No reverse engineering, decompilation, or disassembly of this software > is permitted. > > Limited patent license. Intel Corporation grants a world-wide, > royalty-free, non-exclusive license under patents it now or hereafter > owns or controls to make, have made, use, import, offer to sell and > sell ("Utilize") this software, but solely to the extent that any > such patent is necessary to Utilize the software alone, or in > combination with an operating system licensed under an approved Open > Source license as listed by the Open Source Initiative at > http://opensource.org/licenses. The patent license shall not apply to > any other combinations which include this software. No hardware per > se is licensed hereunder. > > DISCLAIMER. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND > CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, > BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND > FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE > COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, > INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, > BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS > OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND > ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR > TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE > USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH > DAMAGE. > </quote> > > What's novel here, as far as I know, is the "limited patent license". > Though it would be useful to know if Fedora currently ships any > firmware under an Intel (or other) license with a similar clause, > something I don't know offhand -- one of the benefits of carefully > recording approval of individual firmware licenses is that in the > future this will be easier to look up). While the limited patent > license may be okay, it doesn't fall within the current definition of > acceptable firmware license conditions so we'd have to revise the > corresponding documentation and it requires some deliberation. Anyway, > the Intel folks should submit an issue to > https://gitlab.com/fedora/legal/fedora-license-data to have this > license reviewed. > > Richard > _______________________________________________ > legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- David Cantrell <dcantrell@xxxxxxxxxx> Red Hat, Inc. | Boston, MA | EST5EDT _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
