libxcrypt contains some code from OpenSolaris to implement their password hashing. It's licensed under the CDDL:
/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2003 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */
The rest of the library is a combination of 3-clause BSD, 2-clause BSD (ISC), LGPLv2+, CC0 or a public domain dedication,
Applications do not link to this code directly, but they will use it automatically if needed, e.g. if /etc/shadow contains passwords hashed in this way.
Is this a problem? I think we could patch libxcrypt to remove support at run-time if necessary, with little practical impact.
Thanks, Florian
On 06/18/2018 03:56 AM, Florian Weimer wrote:
libxcrypt contains some code from OpenSolaris to implement their password hashing. It's licensed under the CDDL:
/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2003 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */
The rest of the library is a combination of 3-clause BSD, 2-clause BSD (ISC), LGPLv2+, CC0 or a public domain dedication,
Applications do not link to this code directly, but they will use it automatically if needed, e.g. if /etc/shadow contains passwords hashed in this way.
Is this a problem? I think we could patch libxcrypt to remove support at run-time if necessary, with little practical impact.
Well, it is a problem for any consumer of libxcrypt that is GPL licensed. Since it seems quite a lot of things depend on libxcrypt in Fedora (and it also seems extremely unlikely that Fedora will ever need to support OpenSolaris password hashing), I would recommend that libxcrypt be patched to not include that code (a ./configure option that results in it not being compiled in the library should be sufficient).
hth,
~tom
On 06/18/2018 03:58 PM, Tom Callaway wrote:
On 06/18/2018 03:56 AM, Florian Weimer wrote:
libxcrypt contains some code from OpenSolaris to implement their password hashing. It's licensed under the CDDL:
/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2003 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */
The rest of the library is a combination of 3-clause BSD, 2-clause BSD (ISC), LGPLv2+, CC0 or a public domain dedication,
Applications do not link to this code directly, but they will use it automatically if needed, e.g. if /etc/shadow contains passwords hashed in this way.
Is this a problem? I think we could patch libxcrypt to remove support at run-time if necessary, with little practical impact.
Well, it is a problem for any consumer of libxcrypt that is GPL licensed. Since it seems quite a lot of things depend on libxcrypt in Fedora (and it also seems extremely unlikely that Fedora will ever need to support OpenSolaris password hashing), I would recommend that libxcrypt be patched to not include that code (a ./configure option that results in it not being compiled in the library should be sufficient).
Fine, bug filed: https://bugzilla.redhat.com/show_bug.cgi?id=1592445
If we change libxcrypt not to build the CDDL bits, what should we put into the RPM License tag? Should we still list the CDDL eventhough it does not apply to the binaries?
Thanks, Florian
On 06/18/2018 10:29 AM, Florian Weimer wrote:
Fine, bug filed: https://bugzilla.redhat.com/show_bug.cgi?id=1592445
If we change libxcrypt not to build the CDDL bits, what should we put into the RPM License tag? Should we still list the CDDL eventhough it does not apply to the binaries?
The License tag reflects the code that is present in the binaries in the RPM. Thus, in the case where the OpenSolaris code is not compiled in, you do not need to include the CDDL in the License tag.
~tom