[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question re correctness of module license check
|
From: |
George Barrett |
|
Subject: |
Re: Question re correctness of module license check |
|
Date: |
Sat, 04 Feb 2023 05:56:15 +1100 |
On Fri, Feb 03, 2023 at 13:17:01 -0500, Robbie Harwood wrote:
> We're not aware of anyone trying to use external modules, and as
> discussed previously on the list that's fraught anyhow, but suppose they
> were. Even if the license on their module were maximally incompatible
> with grub's, all that does is render them non-redistributable.
I was thinking something like this myself, but I accepted the premise of
the doc comment for the purposes of discussion since I'm not confident
in my vague understanding of those matters.
> But even then, suppose there were. As your post points out, the process
> of deciding what's "compatible" is much more complicated than strcmp.
> We would need a list of acceptable licenses, which we keep updated
> somehow - and if we're being intellectually honest, the capability to
> parse and understand full SPDX expressions (or similar). I doubt any of
> us seriously want that in the bootloader.
I'd be fine with having the check dropped, but I was actually thinking
of a more conservative approach: instead of checking for a specific
license, check for a declaration of license compatibility. Something
like a flag (signalled with, say, GRUB_MOD_LICENSE_GPLv3_COMPATIBLE)
that was checked for instead. This would shift the policy mechanism
mostly out of the code to the humans instead.
(Of course, there'd be a lot of code churn updating all the module
sources to use the new macro instead of the current GRUB_MOD_LICENSE.
It might be simpler to check for a license string like "GPLv3
compatible"; it seems like this is how the "GPLv3" string is used in
practice anyway.[1][2])
But, as you say, the benefit of the check seems specious at best.
> So to return to the start, if it's not generally going to do much as-is,
> then why do I care?
What motivated the question for me was looking into using something like
mbedtls for X.509 support. In checking whether the module loader
recognised the Apache license, I saw not only that it didn't but that
the comment seemed to explicitly forbid the use of differently-licensed
modules due to some unspecified policy.
I figure it'd be nice if I were the last to embark on that particular
wild goose chase :)
> Unfortunately, the module license checks is pretty much the first
> thing that handles a module. If either the module or its containing
> signed image is malformed, truncated, etc., then we can get errors in
> the license check. They're not helpful and an end-user certainly
> can't act on them properly.
> Be well,
> --Robbie
Thanks
[1]: https://lists.gnu.org/archive/html/grub-devel/2020-03/msg00109.html
[2]: https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00058.html