search

balapi / bal-sdk

This is the BAL SDK that exposed the BAL API and transport
7 stars 1 forks source link

Proprietary license in the OSS SDK ? #20

Open joey-onf opened 4 months ago

joey-onf commented 4 months ago

Hi,

I recently ran the reuse license compliance checker against the sdk-bal repository.

% git clone git@github.com:balapi/bal-sdk.git % cd bal-sdk % virtualenv -p python3 .venv % source .venv/bin/activate % pip install pre-commit

cat <.pre-commit-config.yaml

repos:

% pre-commit

The reuse tool detected what appears to be a few proprietary licensed files in the OSS sdk. I was not able to find a 'LICENSE' file or directory in the repository root that might provide alternate context.

A majority of the sources are covered by Apache-2.0, might licensing in the files below be an oversight or have they been properly licensed as proprietary source ?

Thanks -- Joey

https://github.com/balapi/bal-sdk/blob/main/utils/bcmolt_bit_utils.c#L6 https://github.com/balapi/bal-sdk/blob/main/transport/plugin/trmux_direct/bcmtr_plugin_trmux_direct.c https://github.com/balapi/bal-sdk/blob/main/api_cli/bcm_api_cli.hpp https://github.com/balapi/bal-sdk/blob/main/api/bcmolt_api_code_helper.c

<:copyright-BRCM:2016-2020:proprietary:standard Copyright (c) 2016-2020 Broadcom. All Rights Reserved

This program is the proprietary software of Broadcom and/or its licensors, and may only be used, duplicated, modified or distributed pursuant to the terms and conditions of a separate, written license agreement executed between you and Broadcom (an "Authorized License"). Except as set forth in an Authorized License, Broadcom grants no license (express or implied), right to use, or waiver of any kind with respect to the Software, and Broadcom expressly reserves all rights in and to the Software and all intellectual property rights therein. IF YOU HAVE NO AUTHORIZED LICENSE, THEN YOU HAVE NO RIGHT TO USE THIS SOFTWARE IN ANY WAY, AND SHOULD IMMEDIATELY NOTIFY BROADCOM AND DISCONTINUE ALL USE OF THE SOFTWARE.

Except as expressly set forth in the Authorized License,

balapi commented 4 months ago

Hi Joey,

Thanks for the heads-up. I've fixed the license in these files in the balapi sdk repo. Please let me know if you see any other issues.

thanks, Frank

On Wed, May 15, 2024 at 5:09 PM Joey Armstrong @.***> wrote:

Hi,

I recently ran the reuse license compliance checker against the sdk-bal repository.

% git clone @.***:balapi/bal-sdk.git % cd bal-sdk % virtualenv -p python3 .venv % source .venv/bin/activate % pip install pre-commit cat <.pre-commit-config.yaml

repos:

% pre-commit

The reuse tool detected what appears to be a few proprietary licensed files in the OSS sdk. I was not able to find a 'LICENSE' file or directory in the repository root that might provide alternate context.

A majority of the sources are covered by Apache-2.0, might licensing in the files below be an oversight or have they been properly licensed as proprietary source ?

Thanks -- Joey

https://github.com/balapi/bal-sdk/blob/main/utils/bcmolt_bit_utils.c#L6

https://github.com/balapi/bal-sdk/blob/main/transport/plugin/trmux_direct/bcmtr_plugin_trmux_direct.c https://github.com/balapi/bal-sdk/blob/main/api_cli/bcm_api_cli.hpp https://github.com/balapi/bal-sdk/blob/main/api/bcmolt_api_code_helper.c

<:copyright-BRCM:2016-2020:proprietary:standard Copyright (c) 2016-2020 Broadcom. All Rights Reserved

This program is the proprietary software of Broadcom and/or its licensors, and may only be used, duplicated, modified or distributed pursuant to the terms and conditions of a separate, written license agreement executed between you and Broadcom (an "Authorized License"). Except as set forth in an Authorized License, Broadcom grants no license (express or implied), right to use, or waiver of any kind with respect to the Software, and Broadcom expressly reserves all rights in and to the Software and all intellectual property rights therein. IF YOU HAVE NO AUTHORIZED LICENSE, THEN YOU HAVE NO RIGHT TO USE THIS SOFTWARE IN ANY WAY, AND SHOULD IMMEDIATELY NOTIFY BROADCOM AND DISCONTINUE ALL USE OF THE SOFTWARE.

Except as expressly set forth in the Authorized License,

— Reply to this email directly, view it on GitHub https://github.com/balapi/bal-sdk/issues/20, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHAGDBG5H3AULMX5GVMPLMDZCPFHDAVCNFSM6AAAAABHY5G74CVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TQOBUHAYTKMY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

joey-onf commented 4 months ago

Hi,

I found a few more in the source tree:

host_dev_log/bcmolt_host_dev_log.c host_dev_log/bcmolt_host_dev_log.h transport/plugin/trmux_direct/bcmtr_plugin_trmux_direct.h transport/plugin/trmux_direct_dummy/bcmtr_plugin_trmux_direct_dummy.c utils/bcmolt_bit_utils.h

joey-onf commented 4 months ago

I re-ran reuse on the repository and the report is flagging a large number of files. Most seem OK, I found Apache-2.0 & GPL-2

% pre-commit [...]

MISSING COPYRIGHT AND LICENSING INFORMATION

The following files have no licensing information:

# SUMMARY

* Bad licenses: 0
* Deprecated licenses: 0
* Licenses without file extension: 0
* Missing licenses: Apache-2.0
* Unused licenses: 0
* Used licenses: Apache-2.0
* Read errors: 0
* files with copyright information: 175 / 1652
* files with license information: 1 / 1652

Unfortunately, your project is not compliant with version 3.0 of the REUSE Specification :-(

# RECOMMENDATIONS

* Fix missing licenses: For at least one of the license identifiers provided by
  the 'SPDX-License-Identifier' tags, there is no corresponding license text
  file in the 'LICENSES' directory. For SPDX license identifiers, you can simply
  run 'reuse download --all' to get any missing ones. For custom licenses
  (starting with 'LicenseRef-'), you need to add these files yourself.
* Fix missing copyright/licensing information: For one or more files, the tool
  cannot find copyright and/or licensing information. You typically do this by
  adding 'SPDX-FileCopyrightText' and 'SPDX-License-Identifer' tags to each
  file. The tutorial explains additional ways to do this:
  <https://reuse.software/tutorial/>
joey-onf commented 4 months ago

A handful of sources grant use with conditions but I do not see any of the 'approved' oss license types mentioned.

third_party/linenoise/linenoise.c third_party/linenoise/linenoise.h

 * Copyright (c) 2010-2013, Salvatore Sanfilippo <antirez at gmail dot com>
 * Copyright (c) 2010-2013, Pieter Noordhuis <pcnoordhuis at gmail dot com>
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:

os_abstraction/bcmos_queue.h os_abstraction/bcmos_tree.h

 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
joey-onf commented 4 months ago

just fyi> The SPDX spec / reuse tool can be used to verify OSS license compliance coverage for a repository. A few documentation links are included below.

The only detail needed is to inline 'SPDX-*' tokens to identify license type for the reuse tool to check in bulk for reporting:

We are using this syntax in our project. https://github.com/joey-onf/copyright/blob/origin/master/notice

SPDX-FileCopyrightText: 2017-2024 the Open Networking Foundation Contributors

SPDX-License-Identifier: Apache-2.0

SPDX License Tokens

https://spdx.org/licenses/ https://spdx.org/licenses/preview/index.html https://spdx.dev/learn/handling-license-info/#how https://www.kernel.org/doc/html/latest/process/license-rules.html#license-identifier-syntax

Thanks -- Joey