legal April 2024

legal@lists.fedoraproject.org

2 participants
5 discussions

Request to stop hobbling crypto libraries
by Neal Gompa 12 Sep '24

12 Sep '24

Hey all, As part of the discussion going on about Mesa on devel@, the situation around OpenSSL was brought up, and Adam Williamson brought up that we might not need to hobble OpenSSL anymore[1]. A quick check seems to indicate we no longer do it for GnuTLS either, and haven't for many years[2]. Could we just drop all this stuff and use pristine OpenSSL sources? All the crypto algorithm usability stuff is controlled through crypto-policies, so I don't think it makes sense to do this anymore for OpenSSL since all the patents indicated in the script have expired for a couple of years now[3]. Dropping this will eliminate a chunk of cruft that nobody needs around anymore and simplify OpenSSL maintenance. [1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a… [3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl -- 真実はいつも一つ！/ Always, there's only one truth!

7 16

Brainpool Curves in Fedora (openssl, libgcrypt, gnupg)
by Timothée Ravier 21 May '24

21 May '24

Hi everyone, The ECC Brainpool Curves [1][2] are currently not available in Fedora as according to this BZ [3], this needs Fedora Legal approval. Could someone from the legal team take a look to see if there are any blockers regarding Brainpool Curves inclusion in Fedora? Thanks! [1] https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation [2] https://tools.ietf.org/html/rfc5639 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1413618

14 31

Fwd: SPDX Statistics - L'Aigle meteorite edition
by Miroslav Suchý 26 Apr '24

26 Apr '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - L'Aigle meteorite edition Datum: Fri, 26 Apr 2024 20:20:43 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: Automated migration of "trivial" conversions is in process. I migrated bunch of licenses that are only seldomly used. The bigger group (GPL*) are waiting at the starting line, but Jilayne asked me to wait a moment as she wants to check few things. I expect that the progress resumes after Red Hat summit (May 6-9). Two weeks ago we had: > * 23901spec files in Fedora > > * 30551license tags in all spec files > > * 10964 tags have not been converted to SPDX yet > > * 4964 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 64,11% ░░░░░░████ 100% > > ELN subset: > > 100 out of 2397 packages are not converted yet (progress 95.83%) > Today we have: * 23943spec files in Fedora * 30600license tags in all spec files * 10639 tags have not been converted to SPDX yet * 4689 tags can be trivially converted using `license-fedora2spdx` * Progress: 65,23% ░░░░░░████ 100% ELN subset: 94 out of 2394 packages are not converted yet (progress 96.07%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. With: 7 new licenses (plus two public domain declarations). 10 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/ New projection when we will be finished is 2025-04-06 (+5 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why L'Aigle meteorite? On today's date at 1803 meteorite fell upon the town L'Aigle in France. More than 3000 fragments reached ground. Previously scientists believed that meteorites were terrestrial. But this event brought first evidence that meteorites are extraterrestrial. https://en.wikipedia.org/wiki/L%27Aigle_(meteorite)# Miroslav

1 0

Fwd: SPDX Statistics - Human Space Flight edition
by Miroslav Suchý 12 Apr '24

12 Apr '24

-------- Přeposlaná zpráva -------- Předmět: SPDX Statistics - Human Space Flight edition Datum: Fri, 12 Apr 2024 08:06:46 +0200 Od: Miroslav Suchý <msuchy(a)redhat.com> Společnost: Red Hat Czech, s.r.o. Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org> Hot news: https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ contains usage column for licenses that are allowed for something (documentation, firmware...) Automated migration of "trivial" conversions have started (see other threads in this mailing list). Two weeks ago we had: > * 23849spec files in Fedora > > * 30493license tags in all spec files > > * 11026 tags have not been converted to SPDX yet > > * 5004 tags can be trivially converted using `license-fedora2spdx` > > * Progress: 63,84% ░░░░░░████ 100% > > ELN subset: > > 100 out of 2395 packages are not converted yet (progress 95.82%) > Today we have: * 23901spec files in Fedora * 30551license tags in all spec files * 10964 tags have not been converted to SPDX yet * 4964 tags can be trivially converted using `license-fedora2spdx` * Progress: 64,11% ░░░░░░████ 100% ELN subset: 100 out of 2397 packages are not converted yet (progress 95.83%) Graph of these data with the burndown chart: https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r… The list of packages needed to be converted is here: https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List by package maintainers is here https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f… List of packages from ELN subset that needs to be converted: https://pagure.io/copr/license-validate/blob/main/f/eln-not-migrated.txt New version of fedora-license-data has been released. With: 1 new license (plus two public domain declarations). 14 licenses are waiting to be review by SPDX.org (and then to be added to fedora-license-data) https://gitlab.com/fedora/legal/fedora-license-data/-/issues/?label_name%5B… Legal docs and especially https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ was updated too. License analysis of remaining packages: http://miroslav.suchy.cz/fedora/spdx-reports/ New projection when we will be finished is 2025-04-01 (+20 days from last report). Pure linear approximation. If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license tag matches SPDX formula, you can put your package on ignore list https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt Either pull-request or direct email to me is fine. Why Human Space Flight edition? On today's date at 1961 Yuri Gagarin flew to the space in Vostok 1. Since 1963 this day is celebrated as International Day of Human Space Flight. Also on this day at 1981 the first Space Shuttle (Columbia) was lunched. https://en.wikipedia.org/wiki/International_Day_of_Human_Space_Flight https://en.wikipedia.org/wiki/Vostok_1 And you may also learn about Oleg Ivanovsky https://www.telegraph.co.uk/news/obituaries/11111713/Oleg-Ivanovsky-obituar… Miroslav

1 0

AI/ML Model and Pre-Trained Weight Packaging in Fedora
by Tim Flink 02 Apr '24

02 Apr '24

These questions came up in a FESCo ticket [1] recently and the primary purpose of this thread is to have some public record of the conversation around the handling of pre-trained weights for AI/ML models as packaged for Fedora. [1] https://pagure.io/fesco/issue/3175 Intro and Definitions ===================== Previous conversations have involved a decent amount of confusion around terminology and I want to be clear about what I'm asking so I'm starting with a few definitions in the context of my questions. Artificial Neural Network (ANN) - effectively structured data consisting of neurons (nodes containing some value) organized into layers with various connections between the neurons. There are connections between neurons which control the flow of data through the entire network. The exact value of how the connections affect flow through the network is found through the training process and these values are generally referred to as weights. Model - A model by itself is a description of a specific ANN - how layers are configured, how they interact with each other, how model training is done, how data needs to be structured for using a trained model and so on. A model by itself is rarely, if ever useful. Models generally need to be trained on data before they can be used but many models offer a mechanism through which weights can be loaded from a model which has already been trained. An untrained model without pre-trained weights or training is pretty much code. Pre-Trined Weights - Pre-trained weights are essentially the data contained in a model after training the model on some input data. Training modern ANN models is a very expensive and time consuming process; pre-trained weights allow people to use models without having to train the model locally or even have access to data needed to train the model. Questions ========= 1. Are pre-trained weights considered to be normal non-code content/data or do they require special handling? 2. If an upstream offers pre-trained weights and indicates that those weights are available under a license which is acceptable for non-code content in Fedora, can those pre-trained weights be included in Fedora packages? 3. Extending question 2, is it considered sufficient for an upstream to have a license on pre-trained weights or would a packager/reviewer need to verify that the data used to train those weights is acceptable? 4. Is it acceptable to package code which downloads pre-trained weights from a non-Fedora source upon first use post-installation by a user if that model and its associated weights are a. For a specific model? b. For a user-defined model which may or may not exist at the time of packaging? I can provide examples of any of these situations if that would be helpful. Thanks, Tim

7 18

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal April 2024