legal November 2022

legal@lists.fedoraproject.org

11 participants
9 discussions

Request to stop hobbling crypto libraries
by Neal Gompa 12 Sep '24

12 Sep '24

Hey all, As part of the discussion going on about Mesa on devel@, the situation around OpenSSL was brought up, and Adam Williamson brought up that we might not need to hobble OpenSSL anymore[1]. A quick check seems to indicate we no longer do it for GnuTLS either, and haven't for many years[2]. Could we just drop all this stuff and use pristine OpenSSL sources? All the crypto algorithm usability stuff is controlled through crypto-policies, so I don't think it makes sense to do this anymore for OpenSSL since all the patents indicated in the script have expired for a couple of years now[3]. Dropping this will eliminate a chunk of cruft that nobody needs around anymore and simplify OpenSSL maintenance. [1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a… [3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl -- 真実はいつも一つ！/ Always, there's only one truth!

7 16

Brainpool Curves in Fedora (openssl, libgcrypt, gnupg)
by Timothée Ravier 21 May '24

21 May '24

Hi everyone, The ECC Brainpool Curves [1][2] are currently not available in Fedora as according to this BZ [3], this needs Fedora Legal approval. Could someone from the legal team take a look to see if there are any blockers regarding Brainpool Curves inclusion in Fedora? Thanks! [1] https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation [2] https://tools.ietf.org/html/rfc5639 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1413618

14 31

Permissibility of P-434 based elliptic curve in Fedora
by Fabio Valentini 30 Apr '23

30 Apr '23

Hello, During package review of the fiat-crypto Rust library, I noticed that it contains an implementation of an elliptic curve (p434) which isn't mentioned on the "good" list here: https://fedoraproject.org/wiki/Legal:ECC I also can't find any references or sources for this curve (search results for P-434, p434, and curve434 all come up empty). The only mention of "p434" with respect to cryptography is in this Microsoft project: https://github.com/microsoft/PQCrypto-SIDH And looking at the source code, I'm not even sure whether the P-434 curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes that are mentioned there, other than the fact that they happen to be based on the same prime number (2^216 * 3^137 - 1). Given that there's no mention of any elliptic curves that use p434 on the internet (that I could find), is it OK to ship it in a Fedora package, or do we need to remove it from the sources? ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536 Fabio

2 4

Henry Spencer's license
by Petr Šabata 06 Mar '23

06 Mar '23

Dear legal, While checking the contents of our `perl' package, I noticed the following: (...) /* NOTE: this is derived from Henry Spencer's regexp code, and should not * confused with the original package (see point 3 below). Thanks, Henry! */ /* Additional note: this code is very heavily munged from Henry's version * in places. In some spots I've traded clarity for efficiency, so don't * blame Henry for some of the lack of readability. */ /* The names of the functions have been changed from regcomp and * regexec to pregcomp and pregexec in order to avoid conflicts * with the POSIX routines of the same names. */ (...) * pregcomp and pregexec -- regsub and regerror are not used in perl * * Copyright (c) 1986 by University of Toronto. * Written by Henry Spencer. Not derived from licensed software. * * Permission is granted to anyone to use this software for any * purpose on any computer system, and to redistribute it freely, * subject to the following restrictions: * * 1. The author is not responsible for the consequences of use of * this software, no matter how awful, even if they arise * from defects in it. * * 2. The origin of this software must not be misrepresented, either * by explicit claim or by omission. * * 3. Altered versions must be plainly marked as such, and must not * be misrepresented as being the original software. * **** Alterations to Henry's code are... **** **** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, **** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 **** by Larry Wall and others **** **** You may distribute under the terms of either the GNU General Public **** License or the Artistic License, as specified in the README file. (...) You can see the whole file here: https://metacpan.org/source/SHAY/perl-5.20.1/regexec.c I looked but couldn't find any common name for this license of Henry's. Is it on our list? Is it free? What name should I use in the License tag? Thank you, Petr

5 9

How to handle CC0 in .NET 7 (dotnet7.0) ?
by Omair Majid 15 Jan '23

15 Jan '23

Hi, I am trying to package .NET 7 in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2142178 (This is a new package, though it's "just" an updated version of the .NET 6 package that we already include in Fedora.) The reviewer has helped identify that the source code archive includes a few files that include notes about Creative Commons. I am looking on advice on how to handle it. I found basically these 7 non-content files that have a pointer to creativecommons.org: https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Co… https://github.com/dotnet/runtime/tree/main/src/libraries/System.Private.Co… These two files have an MIT license header in addition to the comment that the code is based on an algorithm originally licensed under CC0. These files are a critical part of .NET that we absolutely need to build and include in Fedora. Can I ignore the comment about CC0 because of the MIT license header in the file? Is it safe to treat these files as under MIT only? If not, what are my options to handle this piece of code? https://github.com/dotnet/fsharp/tree/main/tests/benchmarks/CompiledCodeBen… https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FSha… https://github.com/dotnet/fsharp/tree/main/tests/FSharp.Core.UnitTests/FSha… These 3 don't have an MIT or Apache header. Only a Creative Commons header. Given that these files are benchmarks and unit tests that we don't run during the build, I suppose I can just delete these files? Do I need to delete them from the source archive or can I delete them in %prep? Are other/easier options on the table here? https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.c https://github.com/dotnet/runtime/tree/main/src/mono/mono/utils/dlmalloc.h These are under CC-PDDC and hence acceptable without any issues, right? It looks like newer versions of dlmalloc use CC0 and so are unacceptable to Fedora? Is there any guidance I can share with .NET upstream in terms of the impact of eventually switching to the newer version of dlmalloc? Thanks, Omair -- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0

5 17

OCaml linking exception
by Jerry James 26 Nov '22

26 Nov '22

We have quite a few packages in Fedora that are released under some version of the LGPL with what SPDX calls OCaml-LGPL-linking-exception. That exception does not appear in the rpmlint-fedora-license-data package. I'm looking at /etc/xdg/rpmlint/fedora-spdx-licenses.toml, at the bottom, in ValidLicenseExceptions. Indeed, when I tried to use it, rpmlint complained: frama-c.x86_64: W: invalid-license-exception OCaml-LGPL-linking-exception Should I include this exception when converting OCaml package License tags to SPDX format? Thank you, -- Jerry James http://www.jamezone.org/

2 2

Moolticute SPDX update
by Arthur Bols 26 Nov '22

26 Nov '22

Hi all, I'm in the progress of migrating the Mooltice [0] package to SPDX, but it proved to be more difficult than anticipated. I would be grateful if someone could review my current analysis. The license tag and accompanying comment I have at the moment is the following: # The entire source code is GPL-3.0-or-later except: # src/qwinoverlappedionotifier.[cpp|h] which is LGPL-3.0 OR GPL-2.0-or-later, # src/AnsiEscapeCodeHandler.[cpp|h] which is Qt-GPL-exception-1.0, # src/CyoEncode/ which is BSD-2-Clause, # src/QtAwesome/ which is MIT AND OFL-1.1 AND CC-BY-3.0 (see src/QtAwesome/README.md for details), # src/SimpleCrypt/ which is BSD-3-Clause, # src/http-parser/ which is MIT, # src/qtcsv/ which is MIT, # src/qtcsv6/ which is MIT, # src/utils/qurltlds_p.h which is MPL-2.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later, # src/zxcvbn-c which is BSD-3-Clause. License: GPL-3.0-only AND GPL-3.0-or-later AND (LGPL-3.0 OR GPL-2.0-or-later) AND BSD-2-Clause AND BSD-3-Clause AND MIT AND OFL-1.1 AND CC-BY-3.0 AND (MPL-2.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later) You can find the output of licensecheck here: https://principis.fedorapeople.org/moolticute-0.55.18-testing-licensecheck.… . Note that src/QSimpleUpdater is removed as a patch. Besides that I also couldn't find any reference to Qt-GPL-exception-1.0. Is this license allowed? [0] https://src.fedoraproject.org/rpms/moolticute Thank in advance! -- Arthur Bols fas/irc: principis

4 12

about openssl we may enable and build all elliptic curves on corp ?
by Sérgio Basto 05 Nov '22

05 Nov '22

Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843 [2] Version: 1.0.2k %global fips_version 2.0.14 I mean sources: http://ftp.o penssl.org/source/openssl-%{version}.tar.gz and http://ftp.openssl.org/s ource/openssl-fips-%{fips_version}.tar.gz Thanks , -- Sérgio M. B.

4 6

Patent question for moodycamel-readerwriterqueue package
by Sergey Mende 01 Nov '22

01 Nov '22

Hi, I have a package in review process that could affect some patents [0]. The author claims that the work was done from scratch [1] though he admits that he did not search for any existing patents. Benson Muite had found a patent that covers the similar topic [2] I am completely dumb in this area, so I kindly ask someone to help identify if the author's implementation violates the rights of any patent owner. [0] https://bugzilla.redhat.com/show_bug.cgi?id=2129304 [1] https://moodycamel.com/blog/2013/a-fast-lock-free-queue-for-c++ [2] https://patents.google.com/patent/US8543743B2/en Thanks in advance, Sergey

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal November 2022