Auditing Linux

Identifying all copyright holders, licenses and license obligations within a Linux distribution is one of the most complex and tedious audit activities. Many source files in the tree are missing licensing information. This makes it hard for compliance tools to determine the correct license, and a manual audit is very time consuming.

By default, all Linux Kernel files without explicit license information are licensed under GPL version 2 with syscall note. The issue is that in reality not all Kernel files without explicit license declaration are in fact intended to be distributed under the GPLv2 w/SE license. To make licensing obligations clearer to users, the Linux foundation started a license cleanup activity in 2017. The aim was to make license compliance easier and more transparent to the end users.

In this approach all files without license information were identified and an SPDX header was added at the beginning of the file. Unfortunately, some files were incorrectly tagged. Some of those erroneously licensed files were flagged by community at a later stage, however some other files remain inaccurately licensed till date.

Read the full story by Dr. Andreas Kotulla, Founder and CEO of Bitsea, here.

Leave a Reply

Your email address will not be published. Required fields are marked *