Henry Spencer's license
by Petr Šabata
While checking the contents of our `perl' package, I noticed the following:
/* NOTE: this is derived from Henry Spencer's regexp code, and should not
* confused with the original package (see point 3 below). Thanks, Henry!
/* Additional note: this code is very heavily munged from Henry's version
* in places. In some spots I've traded clarity for efficiency, so don't
* blame Henry for some of the lack of readability.
/* The names of the functions have been changed from regcomp and
* regexec to pregcomp and pregexec in order to avoid conflicts
* with the POSIX routines of the same names.
* pregcomp and pregexec -- regsub and regerror are not used in perl
* Copyright (c) 1986 by University of Toronto.
* Written by Henry Spencer. Not derived from licensed software.
* Permission is granted to anyone to use this software for any
* purpose on any computer system, and to redistribute it freely,
* subject to the following restrictions:
* 1. The author is not responsible for the consequences of use of
* this software, no matter how awful, even if they arise
* from defects in it.
* 2. The origin of this software must not be misrepresented, either
* by explicit claim or by omission.
* 3. Altered versions must be plainly marked as such, and must not
* be misrepresented as being the original software.
**** Alterations to Henry's code are...
**** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
**** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
**** by Larry Wall and others
**** You may distribute under the terms of either the GNU General Public
**** License or the Artistic License, as specified in the README file.
You can see the whole file here:
I looked but couldn't find any common name for this license
of Henry's. Is it on our list? Is it free? What name should
I use in the License tag?
2 weeks, 2 days
OCaml linking exception
by Jerry James
We have quite a few packages in Fedora that are released under some
version of the LGPL with what SPDX calls OCaml-LGPL-linking-exception.
That exception does not appear in the rpmlint-fedora-license-data
package. I'm looking at /etc/xdg/rpmlint/fedora-spdx-licenses.toml,
at the bottom, in ValidLicenseExceptions. Indeed, when I tried to use
it, rpmlint complained:
frama-c.x86_64: W: invalid-license-exception OCaml-LGPL-linking-exception
Should I include this exception when converting OCaml package License
tags to SPDX format?
3 months, 3 weeks
Moolticute SPDX update
by Arthur Bols
I'm in the progress of migrating the Mooltice  package to SPDX, but
it proved to be more difficult than anticipated. I would be grateful if
someone could review my current analysis.
The license tag and accompanying comment I have at the moment is the
# The entire source code is GPL-3.0-or-later except:
# src/qwinoverlappedionotifier.[cpp|h] which is LGPL-3.0 OR
# src/AnsiEscapeCodeHandler.[cpp|h] which is Qt-GPL-exception-1.0,
# src/CyoEncode/ which is BSD-2-Clause,
# src/QtAwesome/ which is MIT AND OFL-1.1 AND CC-BY-3.0 (see
src/QtAwesome/README.md for details),
# src/SimpleCrypt/ which is BSD-3-Clause,
# src/http-parser/ which is MIT,
# src/qtcsv/ which is MIT,
# src/qtcsv6/ which is MIT,
# src/utils/qurltlds_p.h which is MPL-2.0 OR GPL-2.0-or-later OR
# src/zxcvbn-c which is BSD-3-Clause.
License: GPL-3.0-only AND GPL-3.0-or-later AND (LGPL-3.0 OR
GPL-2.0-or-later) AND BSD-2-Clause AND BSD-3-Clause AND MIT AND OFL-1.1
AND CC-BY-3.0 AND (MPL-2.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later)
You can find the output of licensecheck here:
. Note that src/QSimpleUpdater is removed as a patch.
Besides that I also couldn't find any reference to Qt-GPL-exception-1.0.
Is this license allowed?
Thank in advance!
3 months, 3 weeks
Permissibility of P-434 based elliptic curve in Fedora
by Fabio Valentini
During package review of the fiat-crypto Rust library, I noticed that
it contains an implementation of an elliptic curve (p434) which isn't
mentioned on the "good" list here:
I also can't find any references or sources for this curve (search
results for P-434, p434, and curve434 all come up empty). The only
mention of "p434" with respect to cryptography is in this Microsoft
And looking at the source code, I'm not even sure whether the P-434
curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes
that are mentioned there, other than the fact that they happen to be
based on the same prime number (2^216 * 3^137 - 1).
Given that there's no mention of any elliptic curves that use p434 on
the internet (that I could find), is it OK to ship it in a Fedora
package, or do we need to remove it from the sources?
4 months, 2 weeks