Re: [PATCH] crypto: Add SPDX ids to some files

[Richard Fontana]

On Thu, Feb 19, 2026 at 7:02 PM Bird, Tim <Tim.Bird@xxxxxxxx> wrote:
>
>
>
> > -----Original Message-----
> > From: Richard Fontana <rfontana@xxxxxxxxxx>
> > On Wed, Feb 18, 2026 at 7:10 PM Tim Bird <tim.bird@xxxxxxxx> wrote:
> > >
> >
> > > +// SPDX-License-Identifier: GPL-2.0-or-later OR BSD-3-Clause
> > >  /* FCrypt encryption algorithm
> > >   *
> > >   * Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
> > >   * Written by David Howells (dhowells@xxxxxxxxxx)
> > >   *
> > > - * This program is free software; you can redistribute it and/or
> > > - * modify it under the terms of the GNU General Public License
> > > - * as published by the Free Software Foundation; either version
> > > - * 2 of the License, or (at your option) any later version.
> > > - *
> > >   * Based on code:
> > >   *
> > >   * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
> > >   * (Royal Institute of Technology, Stockholm, Sweden).
> > >   * All rights reserved.
> > > - *
> > > - * Redistribution and use in source and binary forms, with or without
> > > - * modification, are permitted provided that the following conditions
> > > - * are met:
> > > - *
> > > - * 1. Redistributions of source code must retain the above copyright
> > > - *    notice, this list of conditions and the following disclaimer.
> > > - *
> > > - * 2. Redistributions in binary form must reproduce the above copyright
> > > - *    notice, this list of conditions and the following disclaimer in the
> > > - *    documentation and/or other materials provided with the distribution.
> > > - *
> > > - * 3. Neither the name of the Institute nor the names of its contributors
> > > - *    may be used to endorse or promote products derived from this software
> > > - *    without specific prior written permission.
> > > - *
> > > - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
> > > - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> > > - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> > > - * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
> > > - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> > > - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> > > - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> > > - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> > > - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> > > - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> > > - * SUCH DAMAGE.
> >
> > This is not `GPL-2.0-or-later OR BSD-3-Clause`. It appears to be
> > something like "GPLv2-or-later code based partly on some BSD-3-Clause
> > code" which would be `GPL-2.0-or-later AND BSD-3-Clause` (with some
> > significant loss of information in the conversion to SPDX notation,
> > but I've complained about that before in other forums).
>
> Well, this particular combination is indeed problematic.  The 'Based on' notice
> does indeed not necessarily mean that either license could be used, if this code
> were extracted from the kernel.
> It would take some deep research to determine what was added that was NOT
> BSD-3-Clause before and after the code entered the kernel source tree.  After the
> code enters the kernel source tree, the usual assumption is that code contributions
> are under GPL-2.0-only unless the specific file license says otherwise. However, with both licenses mentioned
> in the header, I suspect a large number of contributors interpreted the situation
> as an OR.

That would surprise me, but, in the words of the Big Lebowski, perhaps
you're right.

> The end result of this is that normally most of the contributions are assumed
> to be GPL-2.0-only, and it would not be appropriate to release the whole file under BSD-3-Clause.
>
> I don't think it can be 'GPL-2.0-or-later AND BSD-3-Clause', because the 3rd clause
> in BSD-3-Clause is incompatible with GPL-2.0 (although some people disagree with that,
> that's how I read it).

That's a legitimate reading but I would contend it's out of step with
settled expectations going back multiple decades about the ability to
combine BSD-3-Clause (and licenses with similar clauses to clause 3).
Even if you're right, though, that doesn't mean "AND" is incorrect, it
would just mean that there's a license incompatibility for people who
care about that sort of thing.

> There are likely a number of cases in the kernel where developers took BSD-3-Clause code
> and re-licensed it as GPL-2.0 (or GPL-2.0-or-later), which is not strictly kosher based solely
> on the 3rd condition issue.  However, I think the 3rd condition (the no-endorsement clause)
> is a goofy one, that has never been acted on in any legal capacity, and for which the risk of
> a bad outcome is very low, if it were completely ignored.  I could expand my thinking on this,
> but this post is already too long. Overall, I'm inclined to just mark this one as 'GPL-2.0 -or-later'
> (not using an OR at all), but leave the 'based on' text, and call it good. I might add some text
> saying to look at the original code as submitted to the kernel if someone wants a version of
> the code under the BSD license.

> By the way, Richard, I appreciate the review of the patches and your thoughts.

Thank you!

Richard