April 2023 - legal - Fedora Mailing-Lists

Permissibility of P-434 based elliptic curve in Fedora

by Fabio Valentini

Hello, During package review of the fiat-crypto Rust library, I noticed that it contains an implementation of an elliptic curve (p434) which isn't mentioned on the "good" list here: https://fedoraproject.org/wiki/Legal:ECC I also can't find any references or sources for this curve (search results for P-434, p434, and curve434 all come up empty). The only mention of "p434" with respect to cryptography is in this Microsoft project: https://github.com/microsoft/PQCrypto-SIDH And looking at the source code, I'm not even sure whether the P-434 curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes that are mentioned there, other than the fact that they happen to be based on the same prime number (2^216 * 3^137 - 1). Given that there's no mention of any elliptic curves that use p434 on the internet (that I could find), is it OK to ship it in a Fedora package, or do we need to remove it from the sources? ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536 Fabio

3 weeks, 6 days

2
4
0 / 0

Requirements from upstream

by Emmanuel Seyman

Hello, all. I'm at the Perl Toolkit Summit and have being approched by Salve Nilsen to talk about improvements to the metadata attached to CPAN modules. He wants to improve the PAUSE infrastructure as well as the tooling for CPAN authors and would really appreciate the input of CPAN's downstreams (which we are one of). If you have an opinion, please sound off ASAP. Emmanuel

4 weeks, 1 day

1
0
0 / 0

Fwd: Upcoming Fedora Legal hackfest - converting to SPDX IDs

by Jilayne Lovejoy

In case, people here didn't see this on devel :) -------- Forwarded Message -------- Subject: Upcoming Fedora Legal hackfest - converting to SPDX IDs Date: Mon, 17 Apr 2023 11:35:36 -0400 From: David Cantrell <dcantrell(a)redhat.com> To: devel-announce(a)lists.fedoraproject.org CC: jlovejoy(a)redhat.com, rfontana(a)redhat.com, msuchy(a)redhat.com, dcantrell(a)redhat.com Fedora Legal will be conducting a hackfest on April 26, 2023 during a four hour block. Information is on the SIGs calendar: https://calendar.fedoraproject.org/SIGs/2023/4/26/ We will be focusing on the ELN package set in Fedora and preparing pull requests for those packages to convert the License tag to a valid SPDX expression. There will be a short presentation and [hopefully] a video walking through an example package and the steps we want package maintainers to follow. If you can make it, great! We expect to do more of these events in the future. What Hackfest for updating the license field in ELN packages to SPDX license expressions. Date Wednesday, April 26, 2023 Time 10:00 - 14:00 US eastern time 18:00 - 22:00 Central European time Where Google Meet: https://meet.google.com/fiu-jdzq-mws (chat.fedoraproject.org information coming soon...awaiting new chat room) How There will be a short presentation for background and a demo on updating a package to start, then we'll work on packages and be available for questions and help. We plan to have more events like this to help package maintainers convert License tags in spec files to SPDX syntax. Thanks, -- David Cantrell<dcantrell(a)redhat.com> Red Hat, Inc. | Boston, MA | EST5EDT

1 month

2
2
0 / 0

Request for adding licenses from Vim into allowed licenses

by Zdenek Dohnal

Hi, I've found the following licenses in Vim package, which aren't in allowed licenses: Apache License v2.0 with Runtime Library Exception - see https://swift.org/LICENSE.txt or https://scancode-licensedb.aboutcode.org/apache-2.0-runtime-library-excep... Open Publication License, v1.0 or later - see http://www.opencontent.org/openpub/ Would you mind adding them into allowed licenses for Fedora? Thank you in advance! Zdenek -- Zdenek Dohnal Senior Software Engineer Red Hat, BRQ-TPBC

1 month

3
5
0 / 0

Fwd: SPDX Statistics - ZX Spectrum edition

by Miroslav Suchý

-------- Přeposlaná zpráva -------- Two weeks ago we had: > * 22918 spec files in Fedora > > * 29406license tags in all spec files > > * 19348 tags have not been converted to SPDX yet > > * 7521tags can be trivially converted using `license-fedora2spdx` > > * Progress: 34% ░░░███████ 100% > Today we have: * 22961 spec files in Fedora * 29459license tags in all spec files * 19099 tags have not been converted to SPDX yet * 7404tags can be trivially converted using `license-fedora2spdx` * Progress: 35% ░░░███████ 100% ELN subset: * 2099 out of 4669 packages has been converted The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... New version of fedora-license-data and license-validate has been released. NEW: the package fedora-license-data now contains BNF grammar which you can use. It is available in `/usr/share/fedora-license-data/grammar.lark` Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... You converted about 300 license tags in 14 days. New projection when we will be finished is 2024-07-07. Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or email to me is fine. Tip of the day: We will have hackfest this week at Wednesday! There will be a short presentation for background and a demo on updating a package to start, then we'll work on packages and be available for questions and help. https://calendar.fedoraproject.org/SIGs/2023/4/26/#m10492d away. Why ZX Spectrum? On this day, 41 years ago was sold the first ZX Spectrum. It was one of the first home computer. And it was my first computer too. https://en.wikipedia.org/wiki/ZX_Spectrum You can try it thanks to http://www.rastersoft.com/programas/fbzx.html You will need fbzx and fuse-emulator-roms packages. Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ or attend SPDX office hours (see different thread in this mailing list) Miroslav

1 month

1
0
0 / 0

how minor is this modification to the zlib license?

by Felix Schwarz

Hi, I'm currently looking into the spdx migration for borgbackup [1]. The currently distributed code contains a file "crc32_slice_by_8.c" [2] which contains this copyright notice: // Copyright (c) 2011-2016 Stephan Brumme. All rights reserved. // see http://create.stephan-brumme.com/disclaimer.html That page contains the following license text: > Unless otherwise noted, all source code published on > http://create.stephan-brumme.com and its sub-pages is licensed similar to > the zlib license: > > This software is provided 'as-is', without any express or implied warranty. > In no event will the author be held liable for any damages arising from the > use of this software. Permission is granted to anyone to use this software > for any purpose, including commercial applications, and to alter it and > redistribute it freely, subject to the following restrictions: > > 1. The origin of this software must not be misrepresented; you must not claim > that you wrote the original software. > > 2. If you use this software in a product, an acknowledgment in the product > documentation would be appreciated but is not required. > > 3. Altered source versions must be plainly marked as such, and must not be > misrepresented as being the original software. And indeed this is basically the zlib license [3] but it is missing the last paragraph ("3. This notice may not be removed or altered from any source distribution."). Can I still mark this license as "zlib"? Please note that the mentioned file was removed from upstream's "master" branch a month ago so this point will be moot once upstream releases its 2.0 version. However that will be a big, incompatible upgrade which might be incompatible with all previously written backup data so Fedora might ship borgbackup 1.x for quite some time. Felix [1] https://github.com/borgbackup/borg/ [2] https://github.com/borgbackup/borg/blob/1.2-maint/src/borg/algorithms/crc... [3] https://spdx.org/licenses/Zlib.html

1 month, 1 week

1
1
0 / 0

Fwd: SPDX Statistics - Easter edition

by Miroslav Suchý

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Easter edition Datum: Sun, 9 Apr 2023 11:34:20 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Two weeks ago we had: > * 22882 spec files in Fedora > > * 29366license tags in all spec files > > * 19784 tags have not been converted to SPDX yet(huray, we are under 20k) > > * 7912tags can be trivially converted using `license-fedora2spdx` > Today we have: * 22918 spec files in Fedora * 29406license tags in all spec files * 19348 tags have not been converted to SPDX yet * 7521tags can be trivially converted using `license-fedora2spdx` * Progress: 34% ░░░███████ 100% ELN subset: * 2159 out of 4688 packages has been converted The list of packages needed to be converted is again here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx... New version of fedora-license-data and license-validate has been released. Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. I updated the progress in this spreadsheet: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE80... You converted about 500 license tags in 14 days. New projection when we will be finished is 2024-06-05. Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or email to me is fine. I already put there some packages that has been reported in past. Tip of the day: There is great tool to audit a package - FOSSology. And Oregon State University runs a free instance https://fossology.osuosl.org/repo/ (login: fossy, password: fossy). It is maintained for free, but every night the content is wiped away. Why Easter? Well, because we have Easter now :) But I will add one fun fact. Here in Czechia we have folk custom consisting in whipping women by men using a rod or braided wicker also called pomlázka, performed on Easter Monday. https://www.youtube.com/watch?v=l9vDVuiQcWM Do you hesitate how to proceed with the migration? Please follow https://docs.fedoraproject.org/en-US/legal/update-existing-packages/ or attend SPDX office hours (see different thread in this mailing list) Miroslav

1 month, 2 weeks

4
4
0 / 0

CoPilot and Fedora packages

by Vitaly Zaitsev

Hello. I'm asking the Fedora Legal team for a position on open source projects containing GitHub CoPilot AI generated code. We need to solve this problem for the electrum update[1]. I think this is not a problem for OSS projects, because even if CoPilot copy-pastes GPL-licensed fragments, the license will be GPL. [1]: https://src.fedoraproject.org/rpms/electrum/pull-request/5 -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

1 month, 3 weeks

2
5
0 / 0

Do I merge "(A AND B) AND A" into "A AND B" or not?

by Miro Hrončok

Hello, during a package review I came across this License tag (simplified): License: ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT) Where "(Apache-2.0 OR MIT) AND BSD-3-Clause" is a license of one "unit" built into the RPM and "Apache-2.0 OR MIT" is a license of another "unit". (Both units are built into a single binary if that makes a difference.) Do I change that to: License: (Apache-2.0 OR MIT) AND BSD-3-Clause Or not? I know that we are not supposed to calculate "effective license", but in my head they both mean the exact same thing. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

1 month, 3 weeks

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal April 2023