Hey all,
As part of the discussion going on about Mesa on devel@, the situation
around OpenSSL was brought up, and Adam Williamson brought up that we
might not need to hobble OpenSSL anymore[1]. A quick check seems to
indicate we no longer do it for GnuTLS either, and haven't for many
years[2].
Could we just drop all this stuff and use pristine OpenSSL sources?
All the crypto algorithm usability stuff is controlled through
crypto-policies, so I don't think it makes sense to do this anymore
for OpenSSL since all the patents indicated in the script have expired
for a couple of years now[3].
Dropping this will eliminate a chunk of cruft that nobody needs around
anymore and simplify OpenSSL maintenance.
[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
[2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a…
[3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl
--
真実はいつも一つ!/ Always, there's only one truth!
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - Rust edition
Datum: Sun, 28 May 2023 07:23:58 +0200
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Two weeks ago we had:
> * 23030 spec files in Fedora
>
> * 29532license tags in all spec files
>
> * 18604 tags have not been converted to SPDX yet
>
> * 7059tags can be trivially converted using `license-fedora2spdx`
>
> * Progress: 37% ░░░███████ 100%
>
Today we have:
* 23060 spec files in Fedora
* 29563license tags in all spec files
* 18398 tags have not been converted to SPDX yet
* 6955tags can be trivially converted using `license-fedora2spdx`
* Progress: 37.8% ░░░███████ 100%
ELN subset:
* 1831 out of 4343 packages are not converted yet
The list of packages needed to be converted is again here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List of packages from ELN subset that needs to be converted:
https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt
New version of fedora-license-data has been released.
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
I updated the progress in this spreadsheet:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r…
New projection when we will be finished is 2024-09-07. Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or direct email to me is fine.
Why SPDX Rust edition? Because on today's date on 28 May 1987. During the Cold war, Mathias Rust made a pirate flight
from Helsinki to Moscow and landed near Red Square.
https://en.wikipedia.org/wiki/Mathias_Rust
Do you hesitate how to proceed with the migration? Please follow
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/
or attend SPDX office hours (see different thread in this mailing list)
Miroslav
Hi all,
Given we just had the hackfest last week, we are cancelling the standing
SPDX Office Hours for tomorrow, May 23rd.
The next SPDX Office Hours will be June 27th at 8am US eastern time at
https://meet.google.com/jbz-erzk-btc?authuser=0&hs=122
Thanks!
Jilayne
Is a disjunctive license that includes CC0-1.0 as one of the options
acceptable for Fedora? I'm intending to submit perl-Crypt-Argon2 for
Fedora review and the C source code files [2] say:
"You may use this work under the terms of a Creative Commons CC0 1.0
License/Waiver or the Apache Public License 2.0, at your option."
But some of the files only mention CC0-1.0. In the github [2] only
dist.ini mentions CC0-1.0 without Apache-2.0, but on CPAN [1] this is
expanded to README, LICENSE, lib/Crypt/Argon2.pm and
script/argon2-calibrate.
I'd like to ask upstream to add a dual-license with Apache-2.0
everywhere CC0-1.0 is mentioned, but only if that would be an
acceptable result.
dist.ini:
name = Crypt-Argon2
author = Leon Timmermans <leont(a)cpan.org>
license = CC0_1_0
copyright_holder = Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans
copyright_year = 2013
LICENSE:
"Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves, Thomas Pornin and Leon Timmermans has dedicated the work to the Commons by waiving all of his
or her rights to the work worldwide under copyright law and all related or
neighboring legal rights he or she had in the work, to the extent allowable by law.
Works under CC0 do not require attribution. When citing the work, you should
not imply endorsement by the author.
Creative Commons Legal Code
CC0 1.0 Universal
[...trimmed full license text...]"
[1] https://metacpan.org/dist/Crypt-Argon2
[2] https://github.com/Leont/crypt-argon2
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - SPDX Hackfest edition
Datum: Wed, 17 May 2023 08:23:51 +0200
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Two weeks ago we had:
> * 23000 spec files in Fedora (wow, nice round number :) )
>
> * 29503license tags in all spec files
>
> * 18744 tags have not been converted to SPDX yet
>
> * 7157tags can be trivially converted using `license-fedora2spdx`
>
> * Progress: 36% ░░░███████ 100%
>
> ELN subset:
>
> * 1987 out of 4704 packages are not converted yet
>
Today we have:
* 23030 spec files in Fedora (wow, nice round number :) )
* 29532license tags in all spec files
* 18604 tags have not been converted to SPDX yet
* 7059tags can be trivially converted using `license-fedora2spdx`
* Progress: 37% ░░░███████ 100%
ELN subset:
* 1907 out of 4567 packages are not converted yet
The list of packages needed to be converted is again here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List of packages from ELN subset that needs to be converted:
https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt
New version of fedora-license-data has been released.
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
I updated the progress in this spreadsheet:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r…
New projection when we will be finished is 2024-08-19. Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or email to me is fine.
Why SPDX Hackfest edition? Because **today** we organize hackfest where we show you example of conversion and you will
have opportunity to talk to us (both lawyers and engineers).
https://communityblog.fedoraproject.org/fedora-legal-spdx-hackfest/
Note: this was rescheduled so you may find two dates there. The valid one is 2023-05-17
Do you hesitate how to proceed with the migration? Please follow
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/
or attend SPDX office hours (see different thread in this mailing list)
Miroslav
Dear all,
You are kindly invited to the meeting:
Fedora Legal - SPDX Hackfest on 2023-05-17 from 10:00:00 to 14:00:00 US/Eastern
At https://meet.google.com/fiu-jdzq-mws
The meeting will be about:
Hackfest for updating the license field in ELN packages to SPDX license expressions.
Google Meet: https://meet.google.com/fiu-jdzq-mws
There will be a short presentation for background and a demo on updating a package to start, then we'll work on packages and be available for questions and help.
We plan to have more events like this to help package maintainers convert License tags in spec files to SPDX syntax.
Source: https://calendar.fedoraproject.org//meeting/10505/
Hi SPDX-legal
Some time ago, I raised the issue of the possibility of finding a
proliferation of "public domain "dedication" texts in the course of
Fedora reviewing package license info to adopt SPDX ids. Please see
https://lists.spdx.org/g/Spdx-legal/topic/93048752#3202 for the background
Fedora has been "collecting" such texts here
https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/public-doma…
and using a specific LicenseRef-Fedora-Public-Domain as a sort of
placeholder SPDX id.
The idea being, no assessment of how many of these types of dedications
exist has been collected in one place in order for the SPDX-legal
community to assess.
I estimate that Fedora has collected about 48 variations of public
domain statements that are not specifically identified on the SPDX
License List. I'm going to assume many of these packages also show up
in other major distros.
I'd like to raise the conversation as to:
1) Should each unique entry be added to the SPDX License List as a
standalone entry (like normal, in that one SPDX license id represents a
specific, identifiable license/set of text)?
2) Should SPDX consider a different approach by defining one SPDX id to
represent any one of a collection of specifically identified and vetted
texts?
I'd love to hear your yes or no answer to these questions and why you
answered as such :)
Also see for background:
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_updat…https://docs.fedoraproject.org/en-US/legal/update-existing-packages/#_publi…
We likely won't have time to discuss this on Thursday's call, but I
wanted to start the discussion here and perhaps we can dedicate some
time at an upcoming meeting.
Thanks,
Jilayne
(copying Fedora-legal for awareness)