legal August 2022

legal@lists.fedoraproject.org

13 participants
17 discussions

Brainpool Curves in Fedora (openssl, libgcrypt, gnupg)
by Timothée Ravier 21 May '24

21 May '24

Hi everyone, The ECC Brainpool Curves [1][2] are currently not available in Fedora as according to this BZ [3], this needs Fedora Legal approval. Could someone from the legal team take a look to see if there are any blockers regarding Brainpool Curves inclusion in Fedora? Thanks! [1] https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation [2] https://tools.ietf.org/html/rfc5639 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1413618

14 31

Henry Spencer's license
by Petr Šabata 06 Mar '23

06 Mar '23

Dear legal, While checking the contents of our `perl' package, I noticed the following: (...) /* NOTE: this is derived from Henry Spencer's regexp code, and should not * confused with the original package (see point 3 below). Thanks, Henry! */ /* Additional note: this code is very heavily munged from Henry's version * in places. In some spots I've traded clarity for efficiency, so don't * blame Henry for some of the lack of readability. */ /* The names of the functions have been changed from regcomp and * regexec to pregcomp and pregexec in order to avoid conflicts * with the POSIX routines of the same names. */ (...) * pregcomp and pregexec -- regsub and regerror are not used in perl * * Copyright (c) 1986 by University of Toronto. * Written by Henry Spencer. Not derived from licensed software. * * Permission is granted to anyone to use this software for any * purpose on any computer system, and to redistribute it freely, * subject to the following restrictions: * * 1. The author is not responsible for the consequences of use of * this software, no matter how awful, even if they arise * from defects in it. * * 2. The origin of this software must not be misrepresented, either * by explicit claim or by omission. * * 3. Altered versions must be plainly marked as such, and must not * be misrepresented as being the original software. * **** Alterations to Henry's code are... **** **** Copyright (C) 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, **** 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 **** by Larry Wall and others **** **** You may distribute under the terms of either the GNU General Public **** License or the Artistic License, as specified in the README file. (...) You can see the whole file here: https://metacpan.org/source/SHAY/perl-5.20.1/regexec.c I looked but couldn't find any common name for this license of Henry's. Is it on our list? Is it free? What name should I use in the License tag? Thank you, Petr

5 9

about openssl we may enable and build all elliptic curves on corp ?
by Sérgio Basto 05 Nov '22

05 Nov '22

Hello, I reopen or start thinking again on this question of enable elliptic curves of openssl [1] So going directly to the point, may I built all source of openssl in copr [2] ? or at least some other curves that fedora package don't ship? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1405843 [2] Version: 1.0.2k %global fips_version 2.0.14 I mean sources: http://ftp.o penssl.org/source/openssl-%{version}.tar.gz and http://ftp.openssl.org/s ource/openssl-fips-%{fips_version}.tar.gz Thanks , -- Sérgio M. B.

4 6

license submissions to SPDX on behalf of Fedora
by Jilayne Lovejoy 02 Sep '22

02 Sep '22

Hi all, Richard has been very busy reviewing licenses and related activities, and consequently approx 13 new license submissions to SPDX on behalf of Fedora. See: https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+labe… Some of these have corresponding issues in our Gitlab data repo and labeled as "blocked on SPDX." From the SPDX side to best shepherd these, can I get a little help on two aspects: 1) which of these submissions are priority from a Fedora perspective? That is, are any package maintainers waiting on SPDX (I know some of these are from leftover Fedora licenses we tagged as "needs more research" when we did the initial compare, which seems to suggest it may not be a blocking issue) - comments in the SPDX Github issue would be appreciated as to any that should be prioritized above others. 2) By way of SPDX processes, when a license has been determined to be accepted, we ask the submitter to help prepare the files for the SPDX license data. However, I'm not sure if Richard should be on the hook for all of these! Can anyone else from the Fedora legal community offer to help with this part? If so, indicate in the relevant issue and SPDX folks will point you to documentation to explain the process further (it's pretty easy, even I can do it) Thanks! Jilayne

2 2

rpmlint and SPDX licenses: W: invalid-license BSD-3-Clause
by Miro Hrončok 31 Aug '22

31 Aug '22

Hello license folks. I see that Fedora's rpmlint is yet to be taught to understand SPDX: python3-lxml.x86_64: W: invalid-license BSD-3-Clause python3-lxml.x86_64: W: invalid-license MIT-CMU Is this support tracked somewhere? I know openSUSE already uses SPDX, so rpmlint probably knows how to read that. Right? -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

4 6

ansible-collection-community-mysql License Change
by Maxwell G 27 Aug '22

27 Aug '22

Hi Fedorians, The license of ansible-collection-community-mysql has been updated from "GPLv3+ and Python" to "GPL-3.0-or-later AND PSF-2.0 AND BSD-2-Clause". See https://src.fedoraproject.org/rpms/ansible-collection-community-mysql/c/242…. -- Thanks, Maxwell G (@gotmax23) Pronouns: He/Him/His

1 0

More Ansible license changes
by Maxwell G 26 Aug '22

26 Aug '22

Hi Fedorians, I'm back with more ansible license updates. Upstream, some of the community Ansible Collections have adopted the REUSE specification, which makes it much easier to determine the overall license. For collections that have adopted this, the license texts are all stored as files in one directory, instead of being spread out throughout the source tree as file headers. I would like to thank the upstream developers for working with me on this. The License tag of ansible-collection-community-general has changed from "GPLv3+ and BSD and Python" to "GPL-3.0-or-later AND BSD-2-Clause AND PSF-2.0 AND MIT". See https://src.fedoraproject.org/rpms/ansible-collection-community-general/pul…. The License tag of ansible has changed from "GPLv3+" to "GPL-3.0-or-later AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND MIT AND MPL-2.0 AND PSF-2.0". I cannot claim this to be 100% accurate, but I have done my best to determine the overall license. Note that ansible is a curated bundle of 103 Ansible collections, so this task is a bit difficult. See https://src.fedoraproject.org/rpms/ansible/pull-request/32. -- Thanks, Maxwell G (@gotmax23) Pronouns: He/Him/His

2 1

Is ECDSA secp256k1 elliptic curve permitted to be packaged in Fedora?
by Miro Hrončok 26 Aug '22

26 Aug '22

Hello legal. I see that ECDSA is already included in Fedora in various packages, so I assume that is OK. This software here: https://github.com/starkbank/ecdsa-python Says: > We currently support secp256k1 [curve]. Is that OK to package in Fedora or not? Thanks. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

5 5

Consider changing the license change announcement policy
by Maxwell G 24 Aug '22

24 Aug '22

Hi Legal folks, Can you please consider removing the following rule? > Fedora package maintainers are expected to announce upstream license > changes that they become aware of on the Fedora devel list. -- https://docs.fedoraproject.org/en-US/legal/license-review-process/#_what_if… This creates unnecessary friction for packagers that simply wish to have correct License fields. I'm also not sure what purposes it serves. Richard explicitly said that Fedora does not concern itself with cross-package license compatibility. And even if it did, a "GPLv3+" to "GPL-3.0-or-later AND MIT" license change shouldn't cause any new license compatibility issues. -- Thanks, Maxwell G (@gotmax23) Pronouns: He/Him/His

3 3

Updating the Python license tag to SPDX and adjusting the license of Python documentation
by Miro Hrončok 23 Aug '22

23 Aug '22

Hello. I plan to update the license tag of Python interpreters in Fedora from "Python" to "Python-2.0.1". See this PR which added it to fedora-license-data: https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/61 See this PR to Python 3.11 (to be backported to older Pythons later): https://src.fedoraproject.org/rpms/python3.11/pull-request/78 I also plan to update the license of python3-docs to: Python-2.0.1 AND (Python-2.0.1 OR 0BSD) Because examples, recipes, and other code in the documentation are dual licensed under Python-2.0.1/0BSD. This was previously not reflected in the License tag. See this PR: https://src.fedoraproject.org/rpms/python3-docs/pull-request/82 Unfortunately, Python-2.0.1 is still not listed at https://docs.fedoraproject.org/en-US/legal/allowed-licenses/ -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal August 2022