legal

legal@lists.fedoraproject.org

1 participants
1409 discussions

Dolby Digital Plus (E-AC3) patents have now expired. Time to add it to fedora
by spaceshipgalore＠outlook.com 31 Jan '26

31 Jan '26

The last Dolby Digital Plus (E-AC3) patent US7516064 expired today. Please add it to fedora. more info: https://hydrogenaudio.org/index.php?topic=122053.0

2 1

antlr3 and a not-allowed license
by Jerry James 31 Jan '26

31 Jan '26

I've been using scancode to take an in-depth look at packages I maintain. I'm up to packages that start with "a"! While looking at the antlr3 package, I found that it contains 3 files with the LicenseRef-Unicode-legacy-source-code license, which is not allowed for Fedora [1]. The files are part of the C/C++ backend. They have been built into binary RPMs for Fedora since 2010 [2] (Fedora 12?). Repoquery shows that nothing in Fedora uses the C/C++ backend. I will build updates for F42, F43, and Rawhide that disable it. My question is whether I need to do anything more than that. Do I need to scrub the offending files out of the tarball, for example? References: [1] https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/Licens… [2] https://src.fedoraproject.org/rpms/antlr3/c/6398229d293262736484dc0e3d7a87b… -- Jerry James http://www.jamezone.org/

4 6

Re: Question about two Fedora packages that are CC0
by Neal Gompa 16 Jan '26

16 Jan '26

On Fri, Jan 16, 2026 at 7:19 AM Rodolfo Olivieri <rolivier(a)redhat.com> wrote: > Hi, folks! > > Looking at the dependency tree of Goose, I saw that they were pulling a > package that was not needed for their application, thus, pulling > *tiny-keccak* as part of it. I just disabled the default-features for > that single dependency and now *tiny-keccak *is not present anymore 🎉 > > Still, regarding *constant_time_eq*, if my understanding is correct, > since it's multi-licensed we are fine in this case? > Yes, just make sure to omit CC0-1.0 as a choice for code. If non-code stuff is CC0, then the license is still valid and must be identified. I do recommend that you package the dependencies individually though, otherwise it's going to be messy when it comes to auditing, fixing, and upgrading dependencies. -- 真実はいつも一つ！/ Always, there's only one truth!

1 0

Question about two Fedora packages that are CC0
by Máirín Duffy 15 Jan '26

15 Jan '26

Hi Fedora Legal! 👋 I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are: - *constant_time_eq* - https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ - *tiny-keccak - * https://packages.fedoraproject.org/pkgs/rust-tiny-keccak *constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README) *tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these. Questions: - Assuming just because these are already packaged in Fedora, doesn't mean they're ok to vendor in another Fedora package. Correct? - Can we use one of the other licenses for *constant_time_eq* which are acceptable for Fedora packages? Or are there any concerns there? - Do you have any advice on how to handle *tiny-keccak*'s license? Greatly appreciate your help in advance!! Thanks, ~m

3 4

CC0-1.0 in tree-sitter-clojure / tree-sitter-clojure-orchard, previously vendored into rust-difftastic
by Michel Lind 29 Dec '25

29 Dec '25

Dear all, I maintain the `rust-difftastic` package, a structural diff tool; in a recent update it has started unbundling the tree-sitter parsers it used, and as part of the review process for the new crates, this came up: https://bugzilla.redhat.com/show_bug.cgi?id=2421761 - difftastic previously used tree-sitter-clojure - this is CC0-1.0 licensed which is no longer allowed for code in Fedora (but this usage might be considered grandfathered in -- though we'd need to file for a retroactive exemption I guess) - https://lwn.net/Articles/902410/ - tree-sitter-clojure is then forked to tree-sitter-clojure-orchard - conversation: https://github.com/Wilfred/difftastic/pull/915 - citing upstream not uploading to crates.io. Apparently there's yet another fork as well (which requires a newer Rust version) - the fork difftastic ended up using claims it is MIT licensed: https://codeberg.org/grammar-orchard/tree-sitter-clojure-orchard/blame/bran… - but the LICENSE file it bundled is still CC0-1.0 which is how this issue was surfaced Any suggestion how to proceed here? I'm temporarily yanking the Clojure support out of difftastic until this is resolved. Of question: - is such a relicensing away from CC0-1.0 by a fork allowed? In which case I will put up a PR to the fork so it carries both license texts and explain the relicensing - if not, does the grandfathering of existing CC0-1.0 software cover forks too? The difftastic upstream (cc:ed), after I brought this to his attention, has requested that the original tree-sitter-clojure be dual-licensed CC0/MIT, which will resolve this too: https://github.com/sogaiu/tree-sitter-clojure/issues/71 Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README

1 0

Microsoft DevCon - OK to redistribute?
by Richard W.M. Jones 19 Nov '25

19 Nov '25

We're thinking of using the DevCon tool inside virt-v2v: https://github.com/microsoft/Windows-driver-samples/tree/main/setup/devcon The license on the files looks like Microsoft proprietary ("All Rights Reserved", no other information). However the license of the repository as a whole is MS-PL which is on the Allowed list: https://github.com/microsoft/Windows-driver-samples/blob/main/LICENSE So I'm really looking for an opinion on whether this is good enough for Fedora, or if we need to get some clarification (from Microsoft?) This was asked about before, and not really answered clearly: https://github.com/microsoft/Windows-driver-samples/issues/60 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit

4 7

15 Nov '25

Hello Legal, My name is Michael Winters, typically known here as @mwinters. I have some questions about Fedora's data privacy policies, which I'll provide a bit of context to first. There has been a long-standing desire within Fedora for better tools with which to analyze our user data and understand our community so that we can improve it. To this end, I have recently created a "Data Lakehouse" proof of concept known as "Hatlas", available at https://hatlas.mwinters.net . This technology consolidates data from existing public Fedora datasets and provides simplified tools to facilitate public access and analysis. Since these datasets were previously quite difficult to access, I believe that most people are unaware of what data exists about them within Fedora and/or the fact that it's being published publicly. I expect that the announcement of easy access to this data will raise some community concerns about data privacy, so this email is in anticipation of those concerns. I wish to have clear resources to refer people to, and current resources such as https://docs.fedoraproject.org/en-US/legal/privacy/ have left some questions open. In particular, many of these datasets include usernames and records of user activity tied to those usernames, e.g. the contents and exact timing of forum posts, git commits, group membership changes, etc. My current questions are: 1) Does an arbitrary username (not necessarily tied to a real name) constitute PII which must be protected / anonymized? It is not currently anonymized in Fedora datasets. 2) Do current Fedora policies permit collecting user activity tied to usernames? This is not explicitly stated under "Information We Collect", though it is mentioned later under "Using (Processing) Your Personal Data." 3) Do current Fedora policies permit publishing user activity tied to usernames? Section "Sharing Your Personal Data" does mention "For research activities", but it does not specify that data must be shared *only* in aggregate. 4) How does GDPR view downstream users of public data sources, i.e. Hatlas? Is Hatlas a "data processor"? Must Hatlas integrate with Fedora's Personal Data Removal process? We intend to do so, but there seems to be no obligation for either party. 5) Are there any data licenses applicable to downstream users such as Hatlas? I intend to apply one restricting the use of Hatlas data to non-commercial purposes, but there seem to be no restrictions coming from Fedora. Thanks in advance! Michael Winters

7 14

hashcat 7 and new software copied over
by Carlos Rodriguez-Fernandez 25 Oct '25

25 Oct '25

Hi, I'm currently working on hashcat 7, and in comparison with version 6 (currently in Fedora Linux), the project copied a few components code into its own repo [1]. These new components, not in Fedora Linux already, and not already handled in hashcat 6 are: * phc-winner-argon2. A reference implementation of argon2. License choice of Apache License 2 or CC0 1 * scrypt-jane. License choice of MIT or Public Domain * sse2neon. License MIT * yescrypt. License BSD-2-Clause (Simplified) My initial investigation tells me there are not patents on any of these cryptography libs. I'm writing to ask if the legal team could please double check this to make sure everything is fine before proceeding with the update. Thank you, Carlos R.F. [1] https://github.com/hashcat/hashcat/tree/v7.1.2/deps

2 3

GPL-3.0-or-later WITH GCC-exception-2.0
by Mark Wielaard 19 Oct '25

19 Oct '25

Hi, Valgrind has been upgraded to GPLv3+. I was packaging valgrind-3.26.0-RC1 and redid the License tags. There is one new tag where rpminspect complains: GPL-3.0-or-later WITH GCC-exception-2.0 https://artifacts.dev.testing-farm.io/3ccb5ff4-8019-45ff-ac91-f4642d28ed8f/ BAD Unapproved license in valgrind-1:3.26.0-0.1.RC1.fc44.src: GPL-3.0-or-later WITH GCC-exception-2.0 Not Waivable Suggested remedy: The specified license abbreviation is not listed as approved in the\nlicense database. The license database is specified in the rpminspect\nconfiguration file. Check this file and send a pull request to the\nappropriate upstream project to update the database. If the license\nis listed in the database but marked unapproved, you may need to work\nwith the legal team regarding options for this software.\n It is not clear to me which/where this license database is or which configuration file is being referred to. So I am hoping someone on this list can point me to that and let me know whether and how to update it to allow GPL-3.0-or-later WITH GCC-exception-2.0. For reference the files in question have this header: This file is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. In addition to the permissions in the GNU General Public License, the Free Software Foundation gives you unlimited permission to link the compiled version of this file into combinations with other programs, and to distribute those combinations without any restriction coming from the use of this file. (The General Public License restrictions do apply in other respects; for example, they cover modification of the file, and distribution when not linked into a combined executable.) Thanks, Mark

3 2

viskores license
by Orion Poplawski 05 Aug '25

05 Aug '25

What should the License tag be for this? Viskores License Version 1.0 ======================================================================== Copyright (c) 2025 Kitware Inc., National Technology & Engineering Solutions of Sandia, LLC (NTESS), UT-Battelle, LLC., Los Alamos National Security, LLC., All rights reserved. Under the terms of Contract DE-NA0003525 with NTESS, the U.S. Government retains certain rights in this software. Under the terms of Contract DE-AC52-06NA25396 with Los Alamos National Laboratory (LANL), the U.S. Government retains certain rights in this software. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Kitware nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ======================================================================== -- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 https://www.nwra.com/

3 2

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal