Hi Joakim,
The license is acceptable for Trusted Firmware-M with QCBOR being used as an external library.
Please refer Section 9 of the Trusted Firmware Project Charter - https://www.trustedfirmware.org/docs/Trusted_Firmware_Charter_v_2021_07_14.p... 9 c) states that the original license text needs to be used and documented. There is documentation about license here - https://tf-m-user-guide.trustedfirmware.org/introduction/index.html?highligh... but can be improved.
Understand QCBOR license is problematic for Zephyr and needs to be resolved.
HTH, Shebu
From: Andersson, Joakim via TF-M tf-m@lists.trustedfirmware.org Sent: Thursday, February 9, 2023 11:05 AM To: Kevin Townsend (kevin.townsend@linaro.org) kevin.townsend@linaro.org; Andrej Butok andrey.butok@nxp.com Cc: Thomas Törnblom via TF-M tf-m@lists.trustedfirmware.org Subject: [TF-M] Re: Non-OSI license issue with QCBOR
Does that mean that the License is acceptable for use in the Trusted-Firmware organization? Does trusted-firmware have any policy on what kind of licenses it’s the dependencies (like TF-M) are allowed to use? -Joakim
From: Kevin Townsend via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: torsdag 9. februar 2023 09:29 To: Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> Cc: Thomas Törnblom via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Re: Non-OSI license issue with QCBOR
Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi Andrej,
We’re trying to work with the Qualcomm TSC rep in Zephyr to see if it can be relicensed, but there are about 20 authors to track down to make this happen, so it won’t be a quick solution even if it is possible.
In the interim, we’ll likely have to disable all use of the library to avoid blocking the Zephyr 3.3 release, meaning disabling use of the attestation service until a legal solution can be found.
Best regards, Kevin
On Thu, 9 Feb 2023 at 08:52, Andrej Butok <andrey.butok@nxp.commailto:andrey.butok@nxp.com> wrote: Hi Kevin,
TFM may not change the 3rd party license clauses. Can it be solved directly with the QCBOR project https://github.com/laurencelundblade/QCBORhttps://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flaurencelundblade%2FQCBOR&data=05%7C01%7Cjoakim.andersson%40nordicsemi.no%7C483128b1c59e44574e5908db0a77e549%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638115282283840850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GyO6OqS2c16FQO92GU7KvuNNi9WMGqFdYxuCn566p84%3D&reserved=0 to make it OSI compliant?
Thanks, Andrej
From: Kevin Townsend via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Sent: Wednesday, February 8, 2023 6:12 PM To: Thomas Törnblom via TF-M <tf-m@lists.trustedfirmware.orgmailto:tf-m@lists.trustedfirmware.org> Subject: [TF-M] Non-OSI license issue with QCBOR
We were discussing a problem with the Zephyr integration of TF-M today on the Zephyr TSC call, determining how to avoid QCBOR being downloaded at build time, which is against Zephyr project policy. Zephyr project policy is that all build dependencies need to exist in the Zephyr project Github org, and be downloaded before building.
During the discussion, it came up that QCBOR actually doesn't have an OSI approved open license, even if it appears to have one on first glance: https://github.com/zephyrproject-rtos/zephyr/issues/54017#issuecomment-14229...https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzephyrproject-rtos%2Fzephyr%2Fissues%2F54017%23issuecomment-1422934516&data=05%7C01%7Cjoakim.andersson%40nordicsemi.no%7C483128b1c59e44574e5908db0a77e549%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638115282283840850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=M57sj3mu3pM8Rn3i7EN0Jh0pR6AjWWx2kL4y9WHWB0E%3D&reserved=0
"Essentially" 3-Clause BSD really doesn't legally mean anything https://github.com/laurencelundblade/QCBOR/blob/master/README.md?plain=1#L52...https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flaurencelundblade%2FQCBOR%2Fblob%2Fmaster%2FREADME.md%3Fplain%3D1%23L527&data=05%7C01%7Cjoakim.andersson%40nordicsemi.no%7C483128b1c59e44574e5908db0a77e549%7C28e5afa2bf6f419a8cf6b31c6e9e5e8d%7C0%7C0%7C638115282283840850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5w8gaOZE7Ap7smuhbd%2F%2FEcsCXNsl0RdxjTnZG3v6u2w%3D&reserved=0
It looks like `NON-INFRINGEMENT` has been added to the license text, which is easy to miss, but entirely changes the license terms.
This is highly problematic, since not being OSI compliant now puts us in a position where we may have to remove TF-M from Zephyr to avoid blocking the 3.3 release, due to project policy around licenses, or I need to remove anything that relies on QCBOR until the license can be sorted out, with the 3.3 release and freeze scheduled for Friday. I'll look tomorrow at disabling attestation tokens, which seem to be the main user of this, but I wanted to bring the license issues up for anyone else who requires OSI-complliant licenses since this is easy to miss, and has been missed until now days from a release.
Thought it was important enough to quickly bring up here for TSC attention, while I try to find a solution less radical that removing TF-M to avoid blocking the Zephyr release.
-- Thanks and best regards,
Kevin Townsend Tech Lead - LITE, Vertical Technologies Linaro.org │ Open source software for ARM SoCs -- Thanks and best regards,
Kevin Townsend Tech Lead - LITE, Vertical Technologies Linaro.org │ Open source software for ARM SoCs