legal January 2023

legal@lists.fedoraproject.org

15 participants
21 discussions

Request to stop hobbling crypto libraries
by Neal Gompa 12 Sep '24

12 Sep '24

Hey all, As part of the discussion going on about Mesa on devel@, the situation around OpenSSL was brought up, and Adam Williamson brought up that we might not need to hobble OpenSSL anymore[1]. A quick check seems to indicate we no longer do it for GnuTLS either, and haven't for many years[2]. Could we just drop all this stuff and use pristine OpenSSL sources? All the crypto algorithm usability stuff is controlled through crypto-policies, so I don't think it makes sense to do this anymore for OpenSSL since all the patents indicated in the script have expired for a couple of years now[3]. Dropping this will eliminate a chunk of cruft that nobody needs around anymore and simplify OpenSSL maintenance. [1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a… [3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl -- 真実はいつも一つ！/ Always, there's only one truth!

7 16

Brainpool Curves in Fedora (openssl, libgcrypt, gnupg)
by Timothée Ravier 21 May '24

21 May '24

Hi everyone, The ECC Brainpool Curves [1][2] are currently not available in Fedora as according to this BZ [3], this needs Fedora Legal approval. Could someone from the legal team take a look to see if there are any blockers regarding Brainpool Curves inclusion in Fedora? Thanks! [1] https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation [2] https://tools.ietf.org/html/rfc5639 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1413618

14 31

Permissibility of P-434 based elliptic curve in Fedora
by Fabio Valentini 30 Apr '23

30 Apr '23

Hello, During package review of the fiat-crypto Rust library, I noticed that it contains an implementation of an elliptic curve (p434) which isn't mentioned on the "good" list here: https://fedoraproject.org/wiki/Legal:ECC I also can't find any references or sources for this curve (search results for P-434, p434, and curve434 all come up empty). The only mention of "p434" with respect to cryptography is in this Microsoft project: https://github.com/microsoft/PQCrypto-SIDH And looking at the source code, I'm not even sure whether the P-434 curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes that are mentioned there, other than the fact that they happen to be based on the same prime number (2^216 * 3^137 - 1). Given that there's no mention of any elliptic curves that use p434 on the internet (that I could find), is it OK to ship it in a Fedora package, or do we need to remove it from the sources? ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536 Fabio

2 4

Henry Spencer's license
by Petr Šabata 06 Mar '23

06 Mar '23

Dear legal, While checking the contents of our `perl' package, I noticed the following: (...) /* NOTE: this is derived from Henry Spencer's regexp code, and should not * confused with the original package (see point 3 below). Thanks, Henry! */ /* Additional note: this code is very heavily munged from Henry's version * in places. In some spots I've traded clarity for efficiency, so don't * blame Henry for some of the lack of readability. */ /* The names of the functions have been changed from regcomp and * regexec to pregcomp and pregexec in order to avoid conflicts * with the POSIX routines of the same names. */ (...) * pregcomp and pregexec -- regsub and regerror are not used in perl * * Copyright (c) 1986 by University of Toronto. * Written by Henry Spencer. Not derived from licensed software. * * Permission is granted to anyone to use this software for any * purpose on any computer system, and to redistribute it freely, * subject to the following restrictions: * * 1. The author is not responsible for the consequences of use of * this software, no matter how awful, even if they arise * from defects in it. * * 2. The origin of this software must not be misrepresented, either * by explicit claim or by omission. * * 3. Altered versions must be plainly marked as such, and must not * be misrepresented as being the original software. * **** Alterations to Henry's code are... **** **** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, **** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 **** by Larry Wall and others **** **** You may distribute under the terms of either the GNU General Public **** License or the Artistic License, as specified in the README file. (...) You can see the whole file here: https://metacpan.org/source/SHAY/perl-5.20.1/regexec.c I looked but couldn't find any common name for this license of Henry's. Is it on our list? Is it free? What name should I use in the License tag? Thank you, Petr

5 9

Re: SPDX Statistics - Pavel edition
by Richard Fontana 29 Jan '23

29 Jan '23

On Sun, Jan 29, 2023 at 11:41 AM Miroslav Suchý <msuchy(a)redhat.com> wrote: > > Tip: do you want to audit licenses in your tarball? Unpack the tarball and try: > > dnf install askalono-cli > > askalono crawl /path/to/directory Regarding askalono: I had not heard of it prior to getting involved in this whole Fedora initiative around the Callaway->SPDX migration and the revamped legal documentation. Since then I've used it quite a bit, mostly for some non-Fedora-related work. askalono is a easy-to-use tool which is good to reach for in some situations, but one should be aware of its limitations and primitiveness. It can't recognize or understand: * license notices/license texts that are comments in source files (it specifically looks only for files that are named LICENSE or COPYING or some obvious variant on those) * license notices/license texts in README files * license files that contain multiple license texts (or it will only recognize the first of them) * nonstandard/archaic/legacy licenses (which covers most of the licenses being reviewed in issues in fedora-license-data) I've found it useful for quick analysis of packages coming out of ecosystems featuring projects known to have (1) highly standardized approaches to layout of license information, (2) generally simple license makeup, and (3) cultural preferences for a highly limited set of licenses (for example, Rust crates that don't bundle legacy C code, Golang modules, Node.js npm packages). For things that don't have such simple characteristics (such as a lot of relatively old, historically complex Fedora packages) it is probably not going to be too useful for its "crawl" functionality. And for the task of trying to identify previously-overlooked or abstracted-away licenses in Fedora packages it is basically not useful at all. So: a good tool to have in the toolbox, but its limitations should be understood, and I don't think it can really be recommended as an audit tool by itself, given its limitations, even for the kinds of packages it is relatively useful for. Richard

1 0

Fwd: SPDX Statistics - Pavel edition
by Miroslav Suchý 29 Jan '23

29 Jan '23

Two weeks ago we had: > * 23030 spec files in Fedora > > * 29390 license tags in all spec files > > * 22766 tags have not been converted to SPDX yet > > * 8986 tags can be trivially converted using `license-fedora2spdx` > > Today we have: * 23036 spec files in Fedora * 29407 license tags in all spec files * 22611 tags have not been converted to SPDX yet * 8885 tags can be trivially converted using `license-fedora2spdx` The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… New version of fedora-license-data has been released. Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ has been updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… You converted 155 license tags in 16 days. New projection when we will be finished is 2024-08-14. Pure linear approximation. Tip: do you want to audit licenses in your tarball? Unpack the tarball and try: dnf install askalono-cli askalono crawl /path/to/directory Why Pavel edition? Because yesterday we had and presidential election in Czechia and Petr Pavel is our new president https://en.wikipedia.org/wiki/Petr_Pavel Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ Miroslav

1 0

License change: snakemake 7.20.0 is MIT AND Unlicense
by Ben Beasley 23 Jan '23

23 Jan '23

The entire project remains (SPDX) MIT, except: - versioneer.py is Unlicense (but is not packaged in the binary RPMs) - snakemake/_version.py says: This file is released into the public domain. which would be LicenseRef-Fedora-Public-Domain, except that the comments in versioneer.py make it clear that Unlicense is intended for the generated files as well. The License field now reflects this. Older versions of versioneer.py had similar language, but with CC0-1.0 instead of Unlicense.

1 0

Exception needed for KDE GitLab CI scripts being licensed CC0-1.0
by Neal Gompa 23 Jan '23

23 Jan '23

Hey folks, So I was working through the review of flatpak-kcm[1], where I discovered that KDE GitLab CI scripts are currently licensed CC0-1.0. I'm in the process of making a request to KDE to consider relicensing all such code/scripts to MIT, but in the meantime, is it okay for us to have CC0-1.0 listed for this specific case? Thanks in advance, [1]: https://bugzilla.redhat.com/2162953 -- 真実はいつも一つ！/ Always, there's only one truth!

2 4

SPDX office hours - Second Session
by David Cantrell 20 Jan '23

20 Jan '23

Hello. The owners of SPDX Change proposal want to have this Change as smooth as possible. And we decided to setup Office hours. Do you have any questions about SPDX migration? Do you hesitate about what steps you should take? How to proceed with your package? We will do our best to help you. This is intended to be bi-weekly. Every time in a different time, to match the time of different people in different time zones. Wednesday 2023-02-01 01:00-02:00 UTC (8pm 2023-01-31 EST, 5pm 2023-01-31 PST, 2am 2023-02-01 CET, 10am 2023-02-01 JST) Google Meet joining info Video call link: meet.google.com/zsu-tbci-cfi Or dial: (US) +1 413-752-4319 PIN: 755 481 969# More phone numbers: https://meet.google.com/tel/zsu-tbci-cfi?pin=7170141193104&hs=1&pli=1 Or join via SIP: 7170141193104(a)gmeet.redhat.com -- David Cantrell <dcantrell(a)redhat.com> Red Hat, Inc. | Boston, MA | EST5EDT

1 0

Who wants to try matching these?
by David Cantrell 18 Jan '23

18 Jan '23

The first is from strlcat.c and strlcpy.c from NetBSD: /* * Copyright (c) 1998 Todd C. Miller <Todd.Miller(a)courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ (Todd Miller is also the author of sudo, so I would not be surprised if he has code like this in sudo as well.) The second is timegm.c from NetBSD as well, but this might just be for fun because here's all we get in that file: /* $NetBSD: timegm.c,v 1.3 2005/05/11 01:01:56 lukem Exp $ */ /* from ? */ Ha! The third one is from snprintf.c in NetBSD: /* * Copyright Patrick Powell 1995 * This code is based on code written by Patrick Powell (papowell(a)astart.com) * It may be used for any purpose as long as this notice remains intact * on all source code distributions */ Right.... so??? -- David Cantrell <dcantrell(a)redhat.com> Red Hat, Inc. | Boston, MA | EST5EDT

4 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal January 2023