[Buildroot] FW: Buildroot Licensing Issue Uncovered

[Buildroot] FW: Buildroot Licensing Issue Uncovered

[chris.wood]

[-- Attachment #1.1: Type: text/plain, Size: 1873 bytes --]

To: buildroot.org, Attn: Peter Korsgaard, Thomas Petazzoni

We are desiring to use the buildroot software version 2023-5 and were performing a licensing scan for the purpose of creating Software Bill of Material and came across a reference to a license that is not an open-source license it is an NXP Semiconductor commercial license. The licensed file is located in the boot/directory/lpc3200cdl, and the file containing the license reference is "0002-delete_redundant_files.patch". The reference says:
"- * Software that is described herein is for illustrative purposes only
- * which provides customers with programming information regarding the
- * products. This software is supplied "AS IS" without any warranties.
- * NXP Semiconductors assumes no responsibility or liability for the
- * use of the software, conveys no license or title under any patent,
- * copyright, or mask work right to the product. NXP Semiconductors
- * reserves the right to make changes in the software without
- * notification. NXP Semiconductors also make no representation or
- * warranty that such application will be suitable for the specified
- * use without further testing or modification."
To obtain clarification on the statement "...conveys no license or title under any patent, copyright, or mask work right to the product..." we asked NXP who responded that the software is freeware offered to customers purchasing their boards, and that it is not open-source software and furthermore stated that they have no relationship to the buildroot software product and wondered if you have an agreement with them allowing you to include it in your software.

We are hoping that you can provide licensing permission evidence or other actions that will be taken to clear up this oversight so that we may use your software without concern.

Best Regards
Dr. Chris Wood

[-- Attachment #1.2: Type: text/html, Size: 4678 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] FW: Buildroot Licensing Issue Uncovered

[Thomas Petazzoni via buildroot]

Hello Chris,

Adding Yann E. Morin and Alexandre Belloni in the loop. See further
below for some feedback.

On Tue, 8 Aug 2023 23:01:40 +0000
"chris.wood@lmco.com" <chris.wood@lmco.com> wrote:

> We are desiring to use the buildroot software version 2023-5 and were
> performing a licensing scan for the purpose of creating Software Bill
> of Material and came across a reference to a license that is not an
> open-source license it is an NXP Semiconductor commercial license.
> The licensed file is located in the boot/directory/lpc3200cdl, and
> the file containing the license reference is
> "0002-delete_redundant_files.patch". The reference says:
>
> "- * Software that is described herein is for illustrative purposes only
> - * which provides customers with programming information regarding the
> - * products. This software is supplied "AS IS" without any warranties.
> - * NXP Semiconductors assumes no responsibility or liability for the
> - * use of the software, conveys no license or title under any patent,
> - * copyright, or mask work right to the product. NXP Semiconductors
> - * reserves the right to make changes in the software without
> - * notification. NXP Semiconductors also make no representation or
> - * warranty that such application will be suitable for the specified
> - * use without further testing or modification."
>
> To obtain clarification on the statement "...conveys no license or
> title under any patent, copyright, or mask work right to the
> product..." we asked NXP who responded that the software is freeware
> offered to customers purchasing their boards, and that it is not
> open-source software and furthermore stated that they have no
> relationship to the buildroot software product and wondered if you
> have an agreement with them allowing you to include it in your
> software.
> 
> We are hoping that you can provide licensing permission evidence or
> other actions that will be taken to clear up this oversight so that
> we may use your software without concern.

Thanks for getting this to our attention, very interesting.

A first point of clarification is that we do *not* include lpc32xxcdl
in our software. Buildroot can download it and build it from you, but
from a licensing perspective, lpc32xxcdl is *not* distributed as part
of Buildroot. It would be distributed as part of the embedded Linux
system you build with Buildroot, if you have enabled lpc32xxcdl in your
configuration.

Another aspect is that the lpc32xxcdl package is quite old, and back
then we did not include license information about the packages: you can
see that boot/lpc32xxcdl/lpc32xxcdl.mk does not have any LICENSE or
LICENSE_FILES variables like most of our packages now have. This means
that lpc32xxcdl has been added at a time (2012) when license review
was not done in a systematic fashion like it is done today for all new
packages that come in.

I am not a lawyer nor a legal person, but I agree that the words "NXP
Semiconductors assumes no responsibility or liability for the use of
the software, conveys no license or title under any patent, copyright,
or mask work right to the product" are very unclear in what they allow
to do with the software.

Are you using lpc32xxcdl in particular in your product?

Based on the unclear wording of the license terms of lpc32xxcdl and the
fact that LPC3250 is a very old platform and there hasn't been much (if
any) interest about it for many years, I would be inclined to say that
we should simply drop this package from Buildroot.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] EXTERNAL: Re: FW: Buildroot Licensing Issue Uncovered

[chris.wood]

Thomas
Thank you for your quick response, it was much appreciated.  We do not use the NXP boards or software at all so removing it completely from the package would make the software more easily accessible for development purposes with other architectures.  If someone from your team could remove that subdirectory containing the 5 files that create the patch and call the NXP website, it would be appreciated very much.  I agree that in 2012 software licensing analysis was very much unexplored territory for most of us.

Best regards
Chris

-----Original Message-----
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> 
Sent: Wednesday, August 9, 2023 3:06 AM
To: Wood, Chris (US) <chris.wood@lmco.com>
Cc: buildroot@buildroot.org; Alexandre Belloni <alexandre.belloni@bootlin.com>; Yann E. MORIN <yann.morin.1998@free.fr>
Subject: EXTERNAL: Re: [Buildroot] FW: Buildroot Licensing Issue Uncovered

Hello Chris,

Adding Yann E. Morin and Alexandre Belloni in the loop. See further below for some feedback.

On Tue, 8 Aug 2023 23:01:40 +0000
"chris.wood@lmco.com" <chris.wood@lmco.com> wrote:

> We are desiring to use the buildroot software version 2023-5 and were 
> performing a licensing scan for the purpose of creating Software Bill 
> of Material and came across a reference to a license that is not an 
> open-source license it is an NXP Semiconductor commercial license.
> The licensed file is located in the boot/directory/lpc3200cdl, and the 
> file containing the license reference is 
> "0002-delete_redundant_files.patch". The reference says:
>
> "- * Software that is described herein is for illustrative purposes 
> only
> - * which provides customers with programming information regarding 
> the
> - * products. This software is supplied "AS IS" without any warranties.
> - * NXP Semiconductors assumes no responsibility or liability for the
> - * use of the software, conveys no license or title under any patent,
> - * copyright, or mask work right to the product. NXP Semiconductors
> - * reserves the right to make changes in the software without
> - * notification. NXP Semiconductors also make no representation or
> - * warranty that such application will be suitable for the specified
> - * use without further testing or modification."
>
> To obtain clarification on the statement "...conveys no license or 
> title under any patent, copyright, or mask work right to the 
> product..." we asked NXP who responded that the software is freeware 
> offered to customers purchasing their boards, and that it is not 
> open-source software and furthermore stated that they have no 
> relationship to the buildroot software product and wondered if you 
> have an agreement with them allowing you to include it in your 
> software.
> 
> We are hoping that you can provide licensing permission evidence or 
> other actions that will be taken to clear up this oversight so that we 
> may use your software without concern.

Thanks for getting this to our attention, very interesting.

A first point of clarification is that we do *not* include lpc32xxcdl in our software. Buildroot can download it and build it from you, but from a licensing perspective, lpc32xxcdl is *not* distributed as part of Buildroot. It would be distributed as part of the embedded Linux system you build with Buildroot, if you have enabled lpc32xxcdl in your configuration.

Another aspect is that the lpc32xxcdl package is quite old, and back then we did not include license information about the packages: you can see that boot/lpc32xxcdl/lpc32xxcdl.mk does not have any LICENSE or LICENSE_FILES variables like most of our packages now have. This means that lpc32xxcdl has been added at a time (2012) when license review was not done in a systematic fashion like it is done today for all new packages that come in.

I am not a lawyer nor a legal person, but I agree that the words "NXP Semiconductors assumes no responsibility or liability for the use of the software, conveys no license or title under any patent, copyright, or mask work right to the product" are very unclear in what they allow to do with the software.

Are you using lpc32xxcdl in particular in your product?

Based on the unclear wording of the license terms of lpc32xxcdl and the fact that LPC3250 is a very old platform and there hasn't been much (if
any) interest about it for many years, I would be inclined to say that we should simply drop this package from Buildroot.

Best regards,

Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] EXTERNAL: Re: FW: Buildroot Licensing Issue Uncovered

[Yann E. MORIN]

Chris, All,

On 2023-08-09 12:19 +0000, chris.wood@lmco.com spake thusly:
> Thank you for your quick response, it was much appreciated.  We do not
> use the NXP boards or software at all so removing it completely from
> the package would make the software more easily accessible for
> development purposes with other architectures.  If someone from your
> team could remove that subdirectory containing the 5 files that create
> the patch and call the NXP website, it would be appreciated very much.
> I agree that in 2012 software licensing analysis was very much
> unexplored territory for most of us.

We have just pushed a commit that entirely removes the lpc32xxcdl
package from Buildroot, which means the files of dubious licensing are
also gone:

    https://gitlab.com/buildroot.org/buildroot/-/commit/503252d8b0951af306189b63ea852723c6540f5a

This is going to be part of the next release, 2023.08, due by the end of
August 2023. Backporting to the stable branches might be done in a later
stage. In the meantime, you may want to backport this change to your
local copy.

Thanks for the report!

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot