Hey all,
As part of the discussion going on about Mesa on devel@, the situation
around OpenSSL was brought up, and Adam Williamson brought up that we
might not need to hobble OpenSSL anymore[1]. A quick check seems to
indicate we no longer do it for GnuTLS either, and haven't for many
years[2].
Could we just drop all this stuff and use pristine OpenSSL sources?
All the crypto algorithm usability stuff is controlled through
crypto-policies, so I don't think it makes sense to do this anymore
for OpenSSL since all the patents indicated in the script have expired
for a couple of years now[3].
Dropping this will eliminate a chunk of cruft that nobody needs around
anymore and simplify OpenSSL maintenance.
[1]: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org…
[2]: https://src.fedoraproject.org/rpms/gnutls/c/46d865d8451be0f4576dcc56841175a…
[3]: https://src.fedoraproject.org/rpms/openssl//blob/rawhide/f/hobble-openssl
--
真実はいつも一つ!/ Always, there's only one truth!
Hello,
During package review of the fiat-crypto Rust library, I noticed that
it contains an implementation of an elliptic curve (p434) which isn't
mentioned on the "good" list here:
https://fedoraproject.org/wiki/Legal:ECC
I also can't find any references or sources for this curve (search
results for P-434, p434, and curve434 all come up empty). The only
mention of "p434" with respect to cryptography is in this Microsoft
project: https://github.com/microsoft/PQCrypto-SIDH
And looking at the source code, I'm not even sure whether the P-434
curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes
that are mentioned there, other than the fact that they happen to be
based on the same prime number (2^216 * 3^137 - 1).
Given that there's no mention of any elliptic curves that use p434 on
the internet (that I could find), is it OK to ship it in a Fedora
package, or do we need to remove it from the sources?
ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536
Fabio
Hello.
I'm asking the Fedora Legal team for a position on open source projects
containing GitHub CoPilot AI generated code. We need to solve this
problem for the electrum update[1].
I think this is not a problem for OSS projects, because even if CoPilot
copy-pastes GPL-licensed fragments, the license will be GPL.
[1]: https://src.fedoraproject.org/rpms/electrum/pull-request/5
--
Sincerely,
Vitaly Zaitsev (vitaly(a)easycoding.org)
Hello Fedora Legal
Back in 2019, the new GeoLite2 license made the Maxmind GeoLite
database non-free, see bugzilla #1786211. As Carl George states in the
bug, there does exist a drop-in replacement from db-ip.com, using the
same database format. According to its homepage, it uses a Creative
Commons license. Would it be acceptable for Fedora?
From https://db-ip.com/db/lite.php
The free DB-IP Lite database by DB-IP is licensed under a Creative
Commons Attribution 4.0 International License.
You are free to use this database in your application, provided you
give attribution to DB-IP.com for the data.
In the case of a web application, you must include a link back to
DB-IP.com on pages that display or use results from the database.
You may do it by pasting the HTML code snippet below into your code :
<a href='https://db-ip.com'>IP Geolocation by DB-IP</a>
Best regards,
Ingvar Hagelund
-------- Přeposlaná zpráva --------
Předmět: SPDX Statistics - stilus annunciationis edition
Datum: Sun, 26 Mar 2023 01:56:32 +0100
Od: Miroslav Suchý <msuchy(a)redhat.com>
Společnost: Red Hat Czech, s.r.o.
Komu: Development discussions related to Fedora <devel(a)lists.fedoraproject.org>
Two weeks ago we had:
> * 23107 spec files in Fedora
>
> * 29503license tags in all spec files
>
> * 20302 tags have not been converted to SPDX yet
>
> * 8096 tags can be trivially converted using `license-fedora2spdx`
>
Today we have:
* 22882 spec files in Fedora
* 29366license tags in all spec files
* 19784 tags have not been converted to SPDX yet(huray, we are under 20k)
* 7912tags can be trivially converted using `license-fedora2spdx`
The list of packages needed to be converted is again here:
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
List by package maintainers is here
https://pagure.io/copr/license-validate/blob/main/f/packages-without-spdx-f…
New version of fedora-license-data has been released.
Legal docs and especially
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
was updated too.
I updated the progress in this spreadsheet:
https://docs.google.com/spreadsheets/d/1QVMEzXWML-6_Mrlln02axFAaRKCQ8zE807r…
You converted 381 license tags in 14 days. Plus additional 137 old license tags were in packages that has been retired.
New projection when we will be finished is 2023-11-16. Pure linear approximation.
If your package does not have neither git-log entry nor spec-changelog entry mentioning SPDX and you know your license
tag matches SPDX formula, you can put your package on ignore list
https://pagure.io/copr/license-validate/blob/main/f/ignore-packages.txt
Either pull-request or email to me is fine. I already put there some packages that has been reported in past.
Why stilus annunciationis? Because 25th March is the begging of the liturgical year
https://en.wikipedia.org/wiki/Feast_of_the_Annunciation
Do you hesitate how to proceed with the migration? Please follow
https://docs.fedoraproject.org/en-US/legal/update-existing-packages/
or attend SPDX office hours (see different thread in this mailing list)
Miroslav
Hi,
the package perl-MemHandle doesn't contain any license/copyright text.
It was already reported to upstream:
https://rt.cpan.org/Public/Bug/Display.html?id=75350
The previous owner set the License tag to 'Public domain'.
I want to knowas if I can use 'LicenseRef-Fedora-Public-Domain' or
anything else?
Thank for any help,
Jitka
--
Jitka Plesnikova
Senior Software Engineer
Red Hat
I have a followup question to a gitlab issue [1]. There are 3 files
in the SMuFL repository [2], classes.json, glyphnames.json, and
ranges.json, that are currently bundled in the mscore package. It
would be advantageous to break those files out into a separate package
for consumption by other SMuFL-aware software. The determination in
[1] is that the presence of those files does not require a change to
the mscore package License field. What about if they are in their own
package? What would the License field of that package be?
References:
[1] https://gitlab.com/fedora/legal/fedora-license-data/-/issues/170
[2] https://github.com/w3c/smufl
--
Jerry James
http://www.jamezone.org/