Permissibility of P-434 based elliptic curve in Fedora
by Fabio Valentini
During package review of the fiat-crypto Rust library, I noticed that
it contains an implementation of an elliptic curve (p434) which isn't
mentioned on the "good" list here:
I also can't find any references or sources for this curve (search
results for P-434, p434, and curve434 all come up empty). The only
mention of "p434" with respect to cryptography is in this Microsoft
And looking at the source code, I'm not even sure whether the P-434
curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes
that are mentioned there, other than the fact that they happen to be
based on the same prime number (2^216 * 3^137 - 1).
Given that there's no mention of any elliptic curves that use p434 on
the internet (that I could find), is it OK to ship it in a Fedora
package, or do we need to remove it from the sources?
3 weeks, 6 days
Requirements from upstream
by Emmanuel Seyman
I'm at the Perl Toolkit Summit and have being approched by Salve Nilsen
to talk about improvements to the metadata attached to CPAN modules.
He wants to improve the PAUSE infrastructure as well as the tooling
for CPAN authors and would really appreciate the input of CPAN's
downstreams (which we are one of).
If you have an opinion, please sound off ASAP.
4 weeks, 1 day
Fwd: Upcoming Fedora Legal hackfest - converting to SPDX IDs
by Jilayne Lovejoy
In case, people here didn't see this on devel :)
-------- Forwarded Message --------
Subject: Upcoming Fedora Legal hackfest - converting to SPDX IDs
Date: Mon, 17 Apr 2023 11:35:36 -0400
From: David Cantrell <dcantrell(a)redhat.com>
CC: jlovejoy(a)redhat.com, rfontana(a)redhat.com, msuchy(a)redhat.com,
Fedora Legal will be conducting a hackfest on April 26, 2023 during a four
hour block. Information is on the SIGs calendar:
We will be focusing on the ELN package set in Fedora and preparing pull
requests for those packages to convert the License tag to a valid SPDX
expression. There will be a short presentation and [hopefully] a video
walking through an example package and the steps we want package maintainers
If you can make it, great! We expect to do more of these events in the
Hackfest for updating the license field in ELN packages to SPDX license
Wednesday, April 26, 2023
10:00 - 14:00 US eastern time
18:00 - 22:00 Central European time
Google Meet: https://meet.google.com/fiu-jdzq-mws
(chat.fedoraproject.org information coming soon...awaiting new chat room)
There will be a short presentation for background and a demo on updating a
package to start, then we'll work on packages and be available for
questions and help.
We plan to have more events like this to help package maintainers convert
License tags in spec files to SPDX syntax.
Red Hat, Inc. | Boston, MA | EST5EDT
how minor is this modification to the zlib license?
by Felix Schwarz
I'm currently looking into the spdx migration for borgbackup .
The currently distributed code contains a file "crc32_slice_by_8.c"  which
contains this copyright notice:
// Copyright (c) 2011-2016 Stephan Brumme. All rights reserved.
// see http://create.stephan-brumme.com/disclaimer.html
That page contains the following license text:
> Unless otherwise noted, all source code published on
> http://create.stephan-brumme.com and its sub-pages is licensed similar to
> the zlib license:
> This software is provided 'as-is', without any express or implied warranty.
> In no event will the author be held liable for any damages arising from the
> use of this software. Permission is granted to anyone to use this software
> for any purpose, including commercial applications, and to alter it and
> redistribute it freely, subject to the following restrictions:
> 1. The origin of this software must not be misrepresented; you must not claim
> that you wrote the original software.
> 2. If you use this software in a product, an acknowledgment in the product
> documentation would be appreciated but is not required.
> 3. Altered source versions must be plainly marked as such, and must not be
> misrepresented as being the original software.
And indeed this is basically the zlib license  but it is missing the last
paragraph ("3. This notice may not be removed or altered from any source
Can I still mark this license as "zlib"?
Please note that the mentioned file was removed from upstream's "master" branch
a month ago so this point will be moot once upstream releases its 2.0 version.
However that will be a big, incompatible upgrade which might be incompatible
with all previously written backup data so Fedora might ship borgbackup 1.x for
quite some time.
1 month, 1 week
CoPilot and Fedora packages
by Vitaly Zaitsev
I'm asking the Fedora Legal team for a position on open source projects
containing GitHub CoPilot AI generated code. We need to solve this
problem for the electrum update.
I think this is not a problem for OSS projects, because even if CoPilot
copy-pastes GPL-licensed fragments, the license will be GPL.
Vitaly Zaitsev (vitaly(a)easycoding.org)
1 month, 3 weeks
Do I merge "(A AND B) AND A" into "A AND B" or not?
by Miro Hrončok
during a package review I came across this License tag (simplified):
License: ((Apache-2.0 OR MIT) AND BSD-3-Clause) AND (Apache-2.0 OR MIT)
Where "(Apache-2.0 OR MIT) AND BSD-3-Clause" is a license of one "unit" built
into the RPM and "Apache-2.0 OR MIT" is a license of another "unit". (Both
units are built into a single binary if that makes a difference.)
Do I change that to:
License: (Apache-2.0 OR MIT) AND BSD-3-Clause
I know that we are not supposed to calculate "effective license", but in my
head they both mean the exact same thing.
1 month, 3 weeks