-----Original Message----- From: Julius Werner [mailto:jwerner@chromium.org] Sent: Thursday, June 11, 2020 2:05 AM To: Patrick Georgi pgeorgi@google.com Cc: Julius Werner jwerner@chromium.org; Coreboot coreboot@coreboot.org; Nico Huber nico.h@gmx.de; Angel Pons th3fanbus@gmail.com; Stefan Reinauer stefan.reinauer@coreboot.org; Ryan Case ryandcase@google.com; Wim Vervoorn wvervoorn@eltan.com; Frans Hendriks fhendriks@eltan.com; Martin Roth martinroth@google.com Subject: Re: Supporting blobs with licenses that you agree to on download
On Wed, Jun 10, 2020 at 12:11 AM Wim Vervoorn wvervoorn@eltan.com wrote:
You only need a single mainboard to be in the tree. A mainboard can trigger cloning a specific branch of this repository after warning for the license.
So I think you're basically just suggesting to use branches instead of different repositories to separate them, but still separate them all individually. I don't think it makes much of a difference, just that branches are usually used in Git to track different versions of the same thing, so I think it might be confusing to use them to track different things instead. I think if we decide that every affected vendor should have their blobs isolated by themselves, we might as well just make them different repositories (unless Patrick has any preferences about what scales better on the infra side there).
Would it be enough to just create a second repository (3rdparty/restrictive_blobs or something like that) which is not automatically checked out by CONFIG_USE_BLOBS so people can make a separate conscious decision if they want to check it out?
If it doesn't allow redistribution, we'd have to check if coreboot.org can host such repos (because we redistribute all the time) or if there's some implied license by the licensor (they pushed it for redistribution after all), and if we can mirror it to github.com and other places (or if that's not implied anymore). As coreboot.org maintainers we won't accept a special "redistribution by coreboot.org allowed" type of license: if those bits are _that_ precious, we don't want them.
No, wait, sorry, I never said they don't allow redistribution. I think it's clear that we can't host them if we can't redistribute them. (Note that blobs with licenses like this are hosted in other projects' big blob repos like https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/... too.)
These licenses explicitly *do* allow unlimited redistribution. It's just that the license text says you're only allowed to download it if you're agreeing to the license (whether that's enforceable in each jurisdiction is a different question, of course). So if anything this is on the downloader, not on the redistributor. Personally, I think this isn't much different than one of those bundled EULAs that say "if you don't agree to this, you must bring the CD back to the store"... but I'm not a lawyer and I can understand that some people may feel more concerned about it, so I'm hoping we can find a solution that allows those people to avoid downloading these blobs unintentionally.
[WIM] I think this exactly explains what it is. This is indeed the intention of these licenses. On the other hand, if having those is a problem. It may still be better to find a good solution to solve these type of issues. I was thinking about this again and you're right about the separate mainboard repo with these separate branches. Wouldn't it be better to host blobs with a "dubious" license separately on github and pull them in when needed (and after a warning)? This way they are not part of the coreboot project and we don't spend a huge amount of time on them discussing the license. This github repo is then the responsibility of the board maintainer.
Wim