Hey all,
As part of the discussion going on about Mesa on devel@, the situation
around OpenSSL was brought up, and Adam Williamson brought up that we
might not need to hobble OpenSSL anymore[1]. A quick check seems to
indicate we no longer do it for GnuTLS either, and haven't for many
years[2].
Could we just drop all this stuff and use pristine OpenSSL sources?
All the crypto algorithm usability stuff is controlled through
crypto-policies, so I don't think it makes sense to do this anymore
for OpenSSL since all the patents indicated in the script have expired
for a couple of years now[3].
Dropping this will eliminate a chunk of cruft that nobody needs around
anymore and simplify OpenSSL maintenance.
[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
[2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a…
[3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl
--
真実はいつも一つ!/ Always, there's only one truth!
Hello,
During package review of the fiat-crypto Rust library, I noticed that
it contains an implementation of an elliptic curve (p434) which isn't
mentioned on the "good" list here:
https://fedoraproject.org/wiki/Legal:ECC
I also can't find any references or sources for this curve (search
results for P-434, p434, and curve434 all come up empty). The only
mention of "p434" with respect to cryptography is in this Microsoft
project: https://github.com/microsoft/PQCrypto-SIDH
And looking at the source code, I'm not even sure whether the P-434
curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes
that are mentioned there, other than the fact that they happen to be
based on the same prime number (2^216 * 3^137 - 1).
Given that there's no mention of any elliptic curves that use p434 on
the internet (that I could find), is it OK to ship it in a Fedora
package, or do we need to remove it from the sources?
ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536
Fabio
Dear legal,
While checking the contents of our `perl' package, I noticed the following:
(...)
/* NOTE: this is derived from Henry Spencer's regexp code, and should not
* confused with the original package (see point 3 below). Thanks, Henry!
*/
/* Additional note: this code is very heavily munged from Henry's version
* in places. In some spots I've traded clarity for efficiency, so don't
* blame Henry for some of the lack of readability.
*/
/* The names of the functions have been changed from regcomp and
* regexec to pregcomp and pregexec in order to avoid conflicts
* with the POSIX routines of the same names.
*/
(...)
* pregcomp and pregexec -- regsub and regerror are not used in perl
*
* Copyright (c) 1986 by University of Toronto.
* Written by Henry Spencer. Not derived from licensed software.
*
* Permission is granted to anyone to use this software for any
* purpose on any computer system, and to redistribute it freely,
* subject to the following restrictions:
*
* 1. The author is not responsible for the consequences of use of
* this software, no matter how awful, even if they arise
* from defects in it.
*
* 2. The origin of this software must not be misrepresented, either
* by explicit claim or by omission.
*
* 3. Altered versions must be plainly marked as such, and must not
* be misrepresented as being the original software.
*
**** Alterations to Henry's code are...
****
**** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
**** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
**** by Larry Wall and others
****
**** You may distribute under the terms of either the GNU General Public
**** License or the Artistic License, as specified in the README file.
(...)
You can see the whole file here:
https://metacpan.org/source/SHAY/perl-5.20.1/regexec.c
I looked but couldn't find any common name for this license
of Henry's. Is it on our list? Is it free? What name should
I use in the License tag?
Thank you,
Petr
What's the best way to raise licensing issues in already-added packages?
I think there are largely two cases:
* Fedora and its distributors comply with the licensing terms, but the
license is not obviously on Fedora's allowed list. An example would
be an obscure field-of-use restriction (as in the JSON license).
* Fedora and its distributors appear violating the license. An example
would be a package that ships a pre-built Linux kernel binary without
the required GPL notices, and without corresponding soruce code.
Do these two cases need to be treated differently? In the past, I may
have filed bugs in Bugzilla, but this might be construed as a bit rude.
I looked at <https://docs.fedoraproject.org/en-US/legal/> and couldn't
find any discussion of this topic. Sorry if I missed it.
Thanks,
Florian
Hi all,
With the update to the regex-syntax crate package that I'm building
right now, the license will change from "MIT OR Apache-2.0" to "(MIT
OR Apache-2.0) AND Unicode-DFS-2016".
The project includes code that is derived from Unicode data files, and
it already shipped a license text for the Unicode-DFS-2016 license for
this reason - but the SPDX license string in upstream crate metadata
doesn't reflect this fact. It also appears that the inclusion of the
additional license file was made after the package was initially
reviewed for Fedora, and as a result, previous versions of this
package didn't include the Unicode license in its License tag.
I have also opened an upstream discussion about this, since I believe
that the upstream license specifier is wrong (i.e. missing " ... AND
Unicode-DFS-2016"), but upstream developers don't appear convinced
(even though similar changes were already made in equivalent cases for
other Rust projects):
https://github.com/rust-lang/regex/discussions/933
This change will probably have at least some "ripple effect" across
Rust packages in Fedora once they are rebuilt against this new
version, since basically everything depends on the "regex" crate
(which depends on regex-syntax), either directly, or indirectly.
I'm pretty sure that this package now has the the correct license tag
(i.e. project has two parts: first part is dual-licensed "MIT OR
Apache-2.0", second part is derived from Unicode data and is licensed
"Unicode-DFS-2016", so the license tag should reflect *both* parts),
but if I am wrong about this, please get my attention, so I can revert
this change in a timely manner.
Fabio
The manual for XMLada comes with this statement:
| Copyright (C) 2000-2002, Emmanuel Briot
|
| Copyright (C) 2003-2011, AdaCore
|
| This document may be copied, in whole or in part, in any form or by
| any means, as is or with alterations, provided that (1) alterations
| are clearly marked as alterations and (2) this copyright notice is
| included unmodified in any copy.
That's all of it. The upstream source is here:
https://github.com/AdaCore/xmlada/blob/master/docs/index.rst
What shall we call this license in SPDX notation?
Björn Persson