Permissibility of P-434 based elliptic curve in Fedora
by Fabio Valentini
Hello,
During package review of the fiat-crypto Rust library, I noticed that
it contains an implementation of an elliptic curve (p434) which isn't
mentioned on the "good" list here:
https://fedoraproject.org/wiki/Legal:ECC
I also can't find any references or sources for this curve (search
results for P-434, p434, and curve434 all come up empty). The only
mention of "p434" with respect to cryptography is in this Microsoft
project: https://github.com/microsoft/PQCrypto-SIDH
And looking at the source code, I'm not even sure whether the P-434
curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes
that are mentioned there, other than the fact that they happen to be
based on the same prime number (2^216 * 3^137 - 1).
Given that there's no mention of any elliptic curves that use p434 on
the internet (that I could find), is it OK to ship it in a Fedora
package, or do we need to remove it from the sources?
ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536
Fabio
11 months, 3 weeks
Henry Spencer's license
by Petr Šabata
Dear legal,
While checking the contents of our `perl' package, I noticed the following:
(...)
/* NOTE: this is derived from Henry Spencer's regexp code, and should not
* confused with the original package (see point 3 below). Thanks, Henry!
*/
/* Additional note: this code is very heavily munged from Henry's version
* in places. In some spots I've traded clarity for efficiency, so don't
* blame Henry for some of the lack of readability.
*/
/* The names of the functions have been changed from regcomp and
* regexec to pregcomp and pregexec in order to avoid conflicts
* with the POSIX routines of the same names.
*/
(...)
* pregcomp and pregexec -- regsub and regerror are not used in perl
*
* Copyright (c) 1986 by University of Toronto.
* Written by Henry Spencer. Not derived from licensed software.
*
* Permission is granted to anyone to use this software for any
* purpose on any computer system, and to redistribute it freely,
* subject to the following restrictions:
*
* 1. The author is not responsible for the consequences of use of
* this software, no matter how awful, even if they arise
* from defects in it.
*
* 2. The origin of this software must not be misrepresented, either
* by explicit claim or by omission.
*
* 3. Altered versions must be plainly marked as such, and must not
* be misrepresented as being the original software.
*
**** Alterations to Henry's code are...
****
**** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
**** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
**** by Larry Wall and others
****
**** You may distribute under the terms of either the GNU General Public
**** License or the Artistic License, as specified in the README file.
(...)
You can see the whole file here:
https://metacpan.org/source/SHAY/perl-5.20.1/regexec.c
I looked but couldn't find any common name for this license
of Henry's. Is it on our list? Is it free? What name should
I use in the License tag?
Thank you,
Petr
1 year, 1 month
OCaml linking exception
by Jerry James
We have quite a few packages in Fedora that are released under some
version of the LGPL with what SPDX calls OCaml-LGPL-linking-exception.
That exception does not appear in the rpmlint-fedora-license-data
package. I'm looking at /etc/xdg/rpmlint/fedora-spdx-licenses.toml,
at the bottom, in ValidLicenseExceptions. Indeed, when I tried to use
it, rpmlint complained:
frama-c.x86_64: W: invalid-license-exception OCaml-LGPL-linking-exception
Should I include this exception when converting OCaml package License
tags to SPDX format?
Thank you,
--
Jerry James
http://www.jamezone.org/
1 year, 4 months
Moolticute SPDX update
by Arthur Bols
Hi all,
I'm in the progress of migrating the Mooltice [0] package to SPDX, but
it proved to be more difficult than anticipated. I would be grateful if
someone could review my current analysis.
The license tag and accompanying comment I have at the moment is the
following:
# The entire source code is GPL-3.0-or-later except:
# src/qwinoverlappedionotifier.[cpp|h] which is LGPL-3.0 OR
GPL-2.0-or-later,
# src/AnsiEscapeCodeHandler.[cpp|h] which is Qt-GPL-exception-1.0,
# src/CyoEncode/ which is BSD-2-Clause,
# src/QtAwesome/ which is MIT AND OFL-1.1 AND CC-BY-3.0 (see
src/QtAwesome/README.md for details),
# src/SimpleCrypt/ which is BSD-3-Clause,
# src/http-parser/ which is MIT,
# src/qtcsv/ which is MIT,
# src/qtcsv6/ which is MIT,
# src/utils/qurltlds_p.h which is MPL-2.0 OR GPL-2.0-or-later OR
LGPL-2.1-or-later,
# src/zxcvbn-c which is BSD-3-Clause.
License: GPL-3.0-only AND GPL-3.0-or-later AND (LGPL-3.0 OR
GPL-2.0-or-later) AND BSD-2-Clause AND BSD-3-Clause AND MIT AND OFL-1.1
AND CC-BY-3.0 AND (MPL-2.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later)
You can find the output of licensecheck here:
https://principis.fedorapeople.org/moolticute-0.55.18-testing-licensechec...
. Note that src/QSimpleUpdater is removed as a patch.
Besides that I also couldn't find any reference to Qt-GPL-exception-1.0.
Is this license allowed?
[0] https://src.fedoraproject.org/rpms/moolticute
Thank in advance!
--
Arthur Bols
fas/irc: principis
1 year, 4 months
