I think creating a separate repository e.g. for the fbg1701 would be a bad idea.
Would separating the mainboard blobs from the others be an idea.
You only need a single mainboard to be in the tree. A mainboard can trigger cloning a specific branch of this repository after warning for the license.
By doing this the mainboard blob would only be checked out when desired.
The bad thing is that the branch will be in the mainboard repo even when not checked out. I am not 100% sure if that will be good enough. What are your ideas about it?
Something else that came to mind is to put the specific files with a "download" license on the server as files and only download them if you approve. The problem is that it is at least much harder to control as it doesn't fit the standard release mechanism.
The other items are mainly related to a specific chipset or vendor. It is more worthwhile to have a separate repository for them.
Best regards,
Wim Vervoorn
-----Original Message----- From: Julius Werner [mailto:jwerner@chromium.org] Sent: Wednesday, June 10, 2020 3:44 AM To: Coreboot coreboot@coreboot.org; Nico Huber nico.h@gmx.de; Angel Pons th3fanbus@gmail.com; Patrick Georgi pgeorgi@google.com; Stefan Reinauer stefan.reinauer@coreboot.org; Ryan Case ryandcase@google.com; Wim Vervoorn wvervoorn@eltan.com; Frans Hendriks fhendriks@eltan.com; Martin Roth martinroth@google.com Subject: Re: Supporting blobs with licenses that you agree to on download
[resend to mailing list with approved address]
On Tue, Jun 9, 2020 at 6:41 PM Julius Werner jwerner@google.com wrote:
Trying to generalize the discussion from https://review.coreboot.org/c/blobs/+/41379 here.
Some of the blobs in our 3rdparty/blobs repository have license language that basically says you have to agree to the license terms to even download the file, and otherwise you're not allowed to possess it. Some example language from the fbg1701 license:
Do not use or load software from this site or any associated materials (collectively, the "Software") until you have carefully read the following terms and conditions. By loading or using the Software, you agree to the terms of this Agreement. If you do not wish to so agree, do not install or use the Software.
As far as I can tell this affects 3rdparty/blobs/mainboard/facebook/fbg1701/license.txt and (with slightly more ambiguous language) almost all AMD licenses (e.g. 3rdparty/blobs/soc/amd/stoneyridge/license.txt). We're trying to add a new blob needed to support a Qualcomm platform that comes with similar language.
Some people pointed out on that CL that they are uncomfortable with licenses like this in the blobs directory, since it means they cannot clone the whole repository without agreeing to all licenses with this sort of language in the repo (even if they only want to use a completely unrelated blob). The concern was also raised that this violates the binary policy (the "unlimited redistribution" part)... I guess it's a matter of interpretation whether a license that allows you to redistribute the binary *if you agree to it* is still "unlimited". It seems that there were already similar concerns raised when the fbg1701 license landed (https://review.coreboot.org/34441) but it was submitted despite the unresolved disagreement.
Can we come up with and implement a solution here that both respects people's concerns and still allows us to support the affected platforms? Clearly, the rules should be the same for all blobs, so if some blobs with language like this are already in the repository, it shouldn't be grounds to reject new blobs from landing. If we can come up with an alternative that people would feel more comfortable with, we should also apply it to those existing cases.
Would it be enough to just create a second repository (3rdparty/restrictive_blobs or something like that) which is not automatically checked out by CONFIG_USE_BLOBS so people can make a separate conscious decision if they want to check it out? It seems that something similar to this was already attempted with the 3rdparty/amd_blobs repository (but it looks like the work wasn't finished because those blobs are still in 3rdparty/blobs as well?). Is it enough to put all these blobs into a single separate repository or do we need to make a separate repository per license (that might be okay for the big AMD case but it probably wouldn't scale well for small one-offs)?