libfuzzer icon indicating copy to clipboard operation
libfuzzer copied to clipboard

Published 20 hours ago verified publisher icon rust-fuzz

Is the libfuzzer license information still accurate?

Open hanna-kruppe opened this issue 10 months ago • 2 comments

The SPDX expression is "(MIT OR Apache-2.0) AND NCSA" and the README says:

All files in the libfuzzer directory are licensed NCSA.

Everything else is dual-licensed Apache 2.0 and MIT.

But the vendored version of libfuzzer is from LLVM 19.x, long after LLVM started relicensing from NCSA to Apache-2.0 WITH LLVM-exception. There doesn't seem to be any definite statement whether the relicensing is 100% complete, but it's pretty far along:

  1. Some rust-lang projects have updated their license strings in line with the new LLVM license, dropping NCSA (e.g., https://github.com/rust-lang/compiler-builtins/pull/717)
  2. Since 2024-06-01, LLVM upstream no longer requires new contributions to be dual-licensed under NCSA and Apache-2.0 WITH LLVM-exception. The currently vendored commit includes some changes to libfuzzer made since then, which presumably aren't licensed under NCSA at all.

I'm no licensing expert but it seems like NCSA should be replaced with Apache-2.0 WITH LLVM-exception in Cargo.toml and README.

hanna-kruppe avatar Feb 01 '25 11:02 hanna-kruppe

I'm no licensing expert either but your explanation makes sense to me.

fitzgen avatar Feb 27 '25 20:02 fitzgen

I think that's fine

Manishearth avatar Feb 27 '25 20:02 Manishearth