Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What does the License notice for Algorithm from Internet Draft document "UUIDs and GUIDs" apply to? #79231

Closed
omajid opened this issue Dec 5, 2022 · 14 comments · Fixed by #80377 or #80506

Comments

@omajid
Copy link
Member

omajid commented Dec 5, 2022

Over in Fedora-land, we are trying to add .NET 7 to Fedora.

As part of that, we have flagged that this isn't a valid open source license, at least for code. (Fedora distinguishes between licenses that are open source for code vs for open source enough just for content)

License notice for Algorithm from Internet Draft document "UUIDs and GUIDs"
---------------------------------------------------------------------------

License notice for Algorithm from Internet Draft document "UUIDs and GUIDs"
---------------------------------------------------------------------------

What does this license apply to? Does it actually cover some piece of code? If so, can someone point us to it?

Here's the actual feedback we received on the review for this license:

The problem here: We should allow this license for "content", but it can't be allowed for code, because it is straightforwardly non-FOSS. I don't see how we can make an exception either. This isn't like a CC0 case where the license is plausibly FOSS. Fedora has recognized this license as unacceptable for code for possibly 15 years or so (see comments on the wiki somewhere regarding one of the RSA licenses).

On the other hand, all we know from the notice file is that there is some connection between the RFC referenced and "Algorithm from Internet Draft document "UUIDs and GUIDs"". No link to a source file or anything. It is coupled to what looks like an acceptable old FOSS permissive license, so it is possible that what we have here is a situation where the relevant license is the FOSS license and they are crediting the RFC because they think it's nice to do or something.

@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Dec 5, 2022
@omajid
Copy link
Member Author

omajid commented Dec 5, 2022

cc @richlander

@ghost
Copy link

ghost commented Dec 5, 2022

Tagging subscribers to this area: @dotnet/area-meta
See info in area-owners.md if you want to be subscribed.

Issue Details

Over in Fedora-land, we are trying to add .NET 7 to Fedora.

As part of that, we have flagged that this isn't a valid open source license, at least for code. (Fedora distinguishes between licenses that are open source for code vs for open source enough just for content)

License notice for Algorithm from Internet Draft document "UUIDs and GUIDs"
---------------------------------------------------------------------------

License notice for Algorithm from Internet Draft document "UUIDs and GUIDs"
---------------------------------------------------------------------------

What does this license apply to? Does it actually cover some piece of code? If so, can someone point us to it?

Here's the actual feedback we received on the review for this license:

The problem here: We should allow this license for "content", but it can't be allowed for code, because it is straightforwardly non-FOSS. I don't see how we can make an exception either. This isn't like a CC0 case where the license is plausibly FOSS. Fedora has recognized this license as unacceptable for code for possibly 15 years or so (see comments on the wiki somewhere regarding one of the RSA licenses).

On the other hand, all we know from the notice file is that there is some connection between the RFC referenced and "Algorithm from Internet Draft document "UUIDs and GUIDs"". No link to a source file or anything. It is coupled to what looks like an acceptable old FOSS permissive license, so it is possible that what we have here is a situation where the relevant license is the FOSS license and they are crediting the RFC because they think it's nice to do or something.

Author: omajid
Assignees: -
Labels:

area-Meta, untriaged

Milestone: -

@akoeplinger
Copy link
Member

FWIW the original addition to the file was done in dotnet/coreclr#10117.

I found this code in coreclr that seems related:

Algorithm from Internet Draft document "UUIDs and GUIDs"

@omajid
Copy link
Member Author

omajid commented Dec 7, 2022

cc @leecow @crummel since this blocks us from adding .NET 7 to Fedora.

@omajid
Copy link
Member Author

omajid commented Dec 7, 2022

I found this code in coreclr that seems related:

This may be a legal question, but does an implementation of an algorithm described in RFC fall under the same copyright/license as the RFC itself? The license itself states that the license is for "This document and translations", and doesn't talk about it covering any code that implements it.

@richardfontana
Copy link

richardfontana commented Dec 9, 2022

Hi, so if the file pointed to by @akoeplinger is relevant, that might help clear this up. I think the relevant RFC document is this one.

While this document is overall under the IETF RFC license, there is an Appendix A containing a reference implementation that has a copyright and license notice that seems to be identical to the other (archaic but clearly FOSS) license notice adjacent to the IETF license notice. (Edit: there seems to be one difference: the one in the THIRD-PARTY-NOTICES.TXT doesn't have the "Copyright (c) 1998 Microsoft." line. Maybe Microsoft decided to delete it to make clear that any Microsoft copyrights were being placed under the MIT license. It doesn't really matter.)

It seems reasonable to assume that anything that was copied or adapted here ultimately from that RFC draft would have been from that appendix. So while this probably solves Fedora's problem (if the assumptions I'm making are correct), I would recommend that the dotnet project delete the IETF notice because it is (almost certainly) incorrect and therefore misleading. To clarify what the basic issue here is: Fedora is committed to having a 100% FOSS distribution as far as code goes. The IETF license is not a FOSS license because it has certain confusingly-worded restrictions on modification. For example it clashes with the permissions of the MIT license which that linked source file asserts is the license of the file. The reason why the IETF license is incorrect is that (if my assumptions are correct) it doesn't cover anything that got copied into that file. The license of the RFC document doesn't (and can't) constrain implementations, which sort of answers @omajid's question -- unless the RFC document were to contain code covered by that document license, which (it seems) is not the case here.

@leecow
Copy link
Member

leecow commented Jan 9, 2023

The draft UUID section has been removed from the TPN doc by #80320 (comment). I think that fully resolves this issue and please let me know if there are additional areas that need clarification.

@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jan 9, 2023
@richardfontana
Copy link

@leecow what about the license notice here: https://github.com/dotnet/runtime/blob/main/src/coreclr/utilcode/guidfromname.cpp#L47-#L69

Not sure if there was a misunderstanding but the issue pointed out here was not draft vs final RFC but rather that the IETF RFC license doesn't apply to the reference implementation code contained in an annex to the draft RFC (and maybe the counterpart final RFC, haven't looked at that).

@ghost ghost removed in-pr There is an active PR which will close this issue when it is merged untriaged New issue has not been triaged by the area owner labels Jan 9, 2023
@jkotas jkotas reopened this Jan 9, 2023
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Jan 9, 2023
@jkotas
Copy link
Member

jkotas commented Jan 9, 2023

@leecow There are more places where this needs to be cleaned up as @richardfontana pointed out.

@leecow
Copy link
Member

leecow commented Jan 10, 2023

Thanks, Jan.

It looks like a total of 25 instances of the Draft though most are in out-of-support branches. I'll get additional PRs opened.

@jkotas
Copy link
Member

jkotas commented Jan 10, 2023

I do not think that the draft is the main problem. The main problem is reference to IETF RFC license like https://github.com/dotnet/runtime/blob/main/src/coreclr/utilcode/guidfromname.cpp#L47-#L69 that should be deleted.

@leecow
Copy link
Member

leecow commented Jan 10, 2023

@jkotas
Copy link
Member

jkotas commented Jan 10, 2023

Does the attribution at https://github.com/dotnet/runtime/blob/main/src/coreclr/utilcode/guidfromname.cpp#L8-#L9 cause any trouble?

I do not think this attribution is a problem.

@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jan 11, 2023
jkotas pushed a commit that referenced this issue Jan 11, 2023
guidfromname.cpp contains a reference to an IETF RFC draft. This needs to be clarified for downstream FOSS licensing scans by removing the draft reference.

This PR corrects the IETF RFC reference and retains the final published RFC references.

Resolves #79231
@ghost ghost removed in-pr There is an active PR which will close this issue when it is merged untriaged New issue has not been triaged by the area owner labels Jan 11, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Feb 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
6 participants