License Issue with boost_intrusive

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

License Issue with boost_intrusive

Boost - Users mailing list
During an annual third-party audit of our source code, boost intrusive was flagged as containing unlicensed code. Specifically, there are several pieces of code in this file which are explicitly attributed to external parties on external websites, which still exist and show no license. 


 

Original sources: 
I don't claim to be a license expert. I've read a lot over the years, but this is the first time that I've actually been between an attorney and a codebase having to figure out practical implications of a scenario like this. 

I first want to make sure that Boost committee is aware of this situation.  

Second, I would like to know what the official conclusion would be from the Boost Committee about the license implications in cases like these.  Maybe it has come up before and is well established. On the surface, the implications seems ambiguous to me when: DEVELOPER_A takes unlicensed code off the internet, prefixes it with a comment that says "Thanks to  DEVELOPER_B ", then prefixes the whole file with a file-level copyright notice that says "COPYRIGHT  DEVELOPER_A", and then says it's distributed under BSL-1.0 license, and then the boost team re-distributes the source code.  

Internally at my company, there was little discussion about it.  There is no room for ambiguity, so the directive from management was to delete the file from our SCM system completely and ensure it never is included in our products.  VERY fortunately, deleting it doesn't seem to have broken our builds.  In future cases like this, that's really not what we want to be doing with your OSS libraries for obvious reasons.  So, I'd like to know if there's any chance this situation changes in a future version of Boost (I.E., the code be removed/re-written with clean-room approach, etc).  

Regards,
Jerry

Gerald R. Wiltse
[hidden email]


_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users
Reply | Threaded
Open this post in threaded view
|

Re: License Issue with boost_intrusive

Boost - Users mailing list


From: Boost-users <[hidden email]> On Behalf Of Gerald Wiltse via Boost-users
Sent: 22 August 2019 20:06
To: [hidden email]
Cc: Gerald Wiltse <[hidden email]>
Subject: [Boost-users] License Issue with boost_intrusive

During an annual third-party audit of our source code, boost intrusive was flagged as containing unlicensed code. Specifically, there are several pieces of code in this file which are explicitly attributed to external parties on external websites, which still exist and show no license.

https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L156-L158 

https://github.com/boostorg/intrusive/blob/develop/include/boost/intrusive/detail/math.hpp#L207-L208 
 

Original sources:
http://stackoverflow.com/questions/11376288/fast-computing-of-log2-for-64-bit-integers 
http://www.flipcode.com/archives/Fast_log_Function.shtml

> I don't claim to be a license expert. I've read a lot over the years, but this is the first time that I've actually been between an attorney and a codebase having to figure out practical implications of a scenario like this.

> I first want to make sure that Boost committee is aware of this situation.  

> Second, I would like to know what the official conclusion would be from the Boost Committee about the license implications in cases like these.  Maybe it has come up before and is well established. On the surface, the implications seems ambiguous to me when: DEVELOPER_A takes unlicensed code off the internet, prefixes it with a comment that says "Thanks to  DEVELOPER_B ", then prefixes the whole file with a file-level copyright notice that says "COPYRIGHT  DEVELOPER_A", and then says it's distributed under BSL-1.0 license, and then the boost team re-distributes the source code.  

> Internally at my company, there was little discussion about it.  There is no room for ambiguity, so the directive from management was to delete the file from our SCM system completely and ensure it never is included in our products.  VERY fortunately, deleting it doesn't seem to have broken our builds.  In future cases like this, that's really not what we want to be doing with your OSS libraries for obvious reasons.  So, I'd like to know if there's any chance this situation changes in a future version of Boost (I.E., the code be removed/re-written with clean-room approach, etc).  

The use of “taken from” may be unfortunate, but to me this looks to me like a simple reference, of which there are very, very many in Boost - and rightly so for giving credit where it is due is important.

See https://en.wikipedia.org/wiki/De_Bruijn_sequence.

I’m not an expert on bit twiddling, but it looks like this is the only way of implementing it using the DeBruin sequence.  So it *cannot* be rewritten?

(it might be cosmetically changed so that it does not trigger computer searches like this but ...)

A lawyer with an automatic program and modest knowledge of maths and computing may be a dangerous thing?

Is the De_Bruijn  sequence patented would seem a more interesting question.

Has anyone else claimed  copyright?

My 2p-worth

Paul

Paul A. Bristow
Prizet Farmhouse
Kendal, Cumbria
LA8 8AB           UK






_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users