legal

legal@lists.fedoraproject.org

4 participants
1410 discussions

Fwd: Question about licensing for data shipped with Goose
by Rodolfo Olivieri 13 Feb '26

13 Feb '26

Hi, folks! I'm forwarding to this mailing list the thread resulting from the last comment received on my package review in Bugzilla ( https://bugzilla.redhat.com/show_bug.cgi?id=2428704#c11) Apparently, most of the mentioned files are trivial, so I'm thinking of keeping them to facilitate the packaging work and not have to deal with removal/skipping tests. Regarding the image found in the test code, I opted to remove it to avoid future complications. Any thoughts on this? Regards, Rodolfo Olivieri. ---------- Forwarded message --------- From: Richard Fontana <rfontana(a)redhat.com> Date: Wed, Feb 11, 2026 at 4:28 PM Subject: Re: Question about licensing for data shipped with Goose To: Máirín Duffy <duffy(a)redhat.com> Cc: Rodolfo Olivieri <rolivier(a)redhat.com> I didn't read the discord conversation because I couldn't authenticate with the account I apparently have and didn't want to create another one... with that caveat: - I would just assume the stuff here https://github.com/block/goose/tree/main/crates/goose-cli/src/scenario_test… is too trivial to worry about - I would assume the stuff here https://github.com/block/goose/tree/main/crates/goose-mcp/src/computercontr… is too trivial to worry about I'd push a little with the upstream on the goose image since it's the kind of thing that you might expect a human would claim copyright on and I don't see any specific reason to assume it's AI-generated. If they say they're reasonably sure it was AI-generated then I'd take their word for it and assume it is not copyrighted. If they just don't know, I'd remove the content. Richard On Wed, Feb 11, 2026 at 1:39 PM Máirín Duffy <duffy(a)redhat.com> wrote: > Hey Richard, > > Goose ships a png file and some CSV files as part of Goose that are part > of their test suite. This came up in packaging review in Fedora as a > potential licensing issue and concerns about redistributing the content. > The Goose developers believe the content is LLM-generated but we weren't > able to get more details on its origin. > > This is the conversation with Goose upstream: > > https://discord.com/channels/1287729918100246654/1287729920319033345/147076… > > This is the actual content in question: > > - > https://github.com/block/goose/tree/main/crates/goose-cli/src/scenario_test… > - > https://github.com/block/goose/tree/main/crates/goose-cli/src/scenario_test… > - > https://github.com/block/goose/tree/main/crates/goose-mcp/src/computercontr… > > > The bugzilla with the package reviwe and more specifics is here (points #2 > and #4): > https://bugzilla.redhat.com/show_bug.cgi?id=2428704#c11 > > We were wondering how you'd advise handling this - drop the content > entirely from the package, ask Goose upstream to explicitly license it > under a license you could recommend for us, or something else? > > TIA, > ~m > > Máirín "Mo" Duffy she/her/hers > > Distinguished Engineer, ⚡ RHEL Lightspeed > > Boston, MA, USA > <https://www.redhat.com/> > -- Richard Fontana IBM Legal (supporting Red Hat) -- Rodolfo Olivieri He/Him Principal Software Engineer, RHEL Lightspeed Red Hat <https://www.redhat.com> rolivier(a)redhat.com @redhatbr <https://twitter.com/redhatbr> @red-hat <https://www.linkedin.com/company/red-hat> @redhatbrasil <https://www.facebook.com/redhatbrasil> <https://www.redhat.com> <https://redhat.com/options>

3 4

Dolby Digital Plus (E-AC3) patents have now expired. Time to add it to fedora
by spaceshipgalore＠outlook.com 01 Feb '26

01 Feb '26

The last Dolby Digital Plus (E-AC3) patent US7516064 expired today. Please add it to fedora. more info: https://hydrogenaudio.org/index.php?topic=122053.0

2 1

antlr3 and a not-allowed license
by Jerry James 31 Jan '26

31 Jan '26

I've been using scancode to take an in-depth look at packages I maintain. I'm up to packages that start with "a"! While looking at the antlr3 package, I found that it contains 3 files with the LicenseRef-Unicode-legacy-source-code license, which is not allowed for Fedora [1]. The files are part of the C/C++ backend. They have been built into binary RPMs for Fedora since 2010 [2] (Fedora 12?). Repoquery shows that nothing in Fedora uses the C/C++ backend. I will build updates for F42, F43, and Rawhide that disable it. My question is whether I need to do anything more than that. Do I need to scrub the offending files out of the tarball, for example? References: [1] https://gitlab.com/fedora/legal/fedora-license-data/-/blob/main/data/Licens… [2] https://src.fedoraproject.org/rpms/antlr3/c/6398229d293262736484dc0e3d7a87b… -- Jerry James http://www.jamezone.org/

4 6

Re: Question about two Fedora packages that are CC0
by Neal Gompa 16 Jan '26

16 Jan '26

On Fri, Jan 16, 2026 at 7:19 AM Rodolfo Olivieri <rolivier(a)redhat.com> wrote: > Hi, folks! > > Looking at the dependency tree of Goose, I saw that they were pulling a > package that was not needed for their application, thus, pulling > *tiny-keccak* as part of it. I just disabled the default-features for > that single dependency and now *tiny-keccak *is not present anymore 🎉 > > Still, regarding *constant_time_eq*, if my understanding is correct, > since it's multi-licensed we are fine in this case? > Yes, just make sure to omit CC0-1.0 as a choice for code. If non-code stuff is CC0, then the license is still valid and must be identified. I do recommend that you package the dependencies individually though, otherwise it's going to be messy when it comes to auditing, fixing, and upgrading dependencies. -- 真実はいつも一つ！/ Always, there's only one truth!

1 0

Question about two Fedora packages that are CC0
by Máirín Duffy 15 Jan '26

15 Jan '26

Hi Fedora Legal! 👋 I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are: - *constant_time_eq* - https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ - *tiny-keccak - * https://packages.fedoraproject.org/pkgs/rust-tiny-keccak *constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README) *tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these. Questions: - Assuming just because these are already packaged in Fedora, doesn't mean they're ok to vendor in another Fedora package. Correct? - Can we use one of the other licenses for *constant_time_eq* which are acceptable for Fedora packages? Or are there any concerns there? - Do you have any advice on how to handle *tiny-keccak*'s license? Greatly appreciate your help in advance!! Thanks, ~m

3 4

CC0-1.0 in tree-sitter-clojure / tree-sitter-clojure-orchard, previously vendored into rust-difftastic
by Michel Lind 29 Dec '25

29 Dec '25

Dear all, I maintain the `rust-difftastic` package, a structural diff tool; in a recent update it has started unbundling the tree-sitter parsers it used, and as part of the review process for the new crates, this came up: https://bugzilla.redhat.com/show_bug.cgi?id=2421761 - difftastic previously used tree-sitter-clojure - this is CC0-1.0 licensed which is no longer allowed for code in Fedora (but this usage might be considered grandfathered in -- though we'd need to file for a retroactive exemption I guess) - https://lwn.net/Articles/902410/ - tree-sitter-clojure is then forked to tree-sitter-clojure-orchard - conversation: https://github.com/Wilfred/difftastic/pull/915 - citing upstream not uploading to crates.io. Apparently there's yet another fork as well (which requires a newer Rust version) - the fork difftastic ended up using claims it is MIT licensed: https://codeberg.org/grammar-orchard/tree-sitter-clojure-orchard/blame/bran… - but the LICENSE file it bundled is still CC0-1.0 which is how this issue was surfaced Any suggestion how to proceed here? I'm temporarily yanking the Clojure support out of difftastic until this is resolved. Of question: - is such a relicensing away from CC0-1.0 by a fork allowed? In which case I will put up a PR to the fork so it carries both license texts and explain the relicensing - if not, does the grandfathering of existing CC0-1.0 software cover forks too? The difftastic upstream (cc:ed), after I brought this to his attention, has requested that the original tree-sitter-clojure be dual-licensed CC0/MIT, which will resolve this too: https://github.com/sogaiu/tree-sitter-clojure/issues/71 Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README

1 0

Microsoft DevCon - OK to redistribute?
by Richard W.M. Jones 19 Nov '25

19 Nov '25

We're thinking of using the DevCon tool inside virt-v2v: https://github.com/microsoft/Windows-driver-samples/tree/main/setup/devcon The license on the files looks like Microsoft proprietary ("All Rights Reserved", no other information). However the license of the repository as a whole is MS-PL which is on the Allowed list: https://github.com/microsoft/Windows-driver-samples/blob/main/LICENSE So I'm really looking for an opinion on whether this is good enough for Fedora, or if we need to get some clarification (from Microsoft?) This was asked about before, and not really answered clearly: https://github.com/microsoft/Windows-driver-samples/issues/60 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit

4 7

15 Nov '25

Hello Legal, My name is Michael Winters, typically known here as @mwinters. I have some questions about Fedora's data privacy policies, which I'll provide a bit of context to first. There has been a long-standing desire within Fedora for better tools with which to analyze our user data and understand our community so that we can improve it. To this end, I have recently created a "Data Lakehouse" proof of concept known as "Hatlas", available at https://hatlas.mwinters.net . This technology consolidates data from existing public Fedora datasets and provides simplified tools to facilitate public access and analysis. Since these datasets were previously quite difficult to access, I believe that most people are unaware of what data exists about them within Fedora and/or the fact that it's being published publicly. I expect that the announcement of easy access to this data will raise some community concerns about data privacy, so this email is in anticipation of those concerns. I wish to have clear resources to refer people to, and current resources such as https://docs.fedoraproject.org/en-US/legal/privacy/ have left some questions open. In particular, many of these datasets include usernames and records of user activity tied to those usernames, e.g. the contents and exact timing of forum posts, git commits, group membership changes, etc. My current questions are: 1) Does an arbitrary username (not necessarily tied to a real name) constitute PII which must be protected / anonymized? It is not currently anonymized in Fedora datasets. 2) Do current Fedora policies permit collecting user activity tied to usernames? This is not explicitly stated under "Information We Collect", though it is mentioned later under "Using (Processing) Your Personal Data." 3) Do current Fedora policies permit publishing user activity tied to usernames? Section "Sharing Your Personal Data" does mention "For research activities", but it does not specify that data must be shared *only* in aggregate. 4) How does GDPR view downstream users of public data sources, i.e. Hatlas? Is Hatlas a "data processor"? Must Hatlas integrate with Fedora's Personal Data Removal process? We intend to do so, but there seems to be no obligation for either party. 5) Are there any data licenses applicable to downstream users such as Hatlas? I intend to apply one restricting the use of Hatlas data to non-commercial purposes, but there seem to be no restrictions coming from Fedora. Thanks in advance! Michael Winters

7 14

hashcat 7 and new software copied over
by Carlos Rodriguez-Fernandez 25 Oct '25

25 Oct '25

Hi, I'm currently working on hashcat 7, and in comparison with version 6 (currently in Fedora Linux), the project copied a few components code into its own repo [1]. These new components, not in Fedora Linux already, and not already handled in hashcat 6 are: * phc-winner-argon2. A reference implementation of argon2. License choice of Apache License 2 or CC0 1 * scrypt-jane. License choice of MIT or Public Domain * sse2neon. License MIT * yescrypt. License BSD-2-Clause (Simplified) My initial investigation tells me there are not patents on any of these cryptography libs. I'm writing to ask if the legal team could please double check this to make sure everything is fine before proceeding with the update. Thank you, Carlos R.F. [1] https://github.com/hashcat/hashcat/tree/v7.1.2/deps

2 3

GPL-3.0-or-later WITH GCC-exception-2.0
by Mark Wielaard 19 Oct '25

19 Oct '25

Hi, Valgrind has been upgraded to GPLv3+. I was packaging valgrind-3.26.0-RC1 and redid the License tags. There is one new tag where rpminspect complains: GPL-3.0-or-later WITH GCC-exception-2.0 https://artifacts.dev.testing-farm.io/3ccb5ff4-8019-45ff-ac91-f4642d28ed8f/ BAD Unapproved license in valgrind-1:3.26.0-0.1.RC1.fc44.src: GPL-3.0-or-later WITH GCC-exception-2.0 Not Waivable Suggested remedy: The specified license abbreviation is not listed as approved in the\nlicense database. The license database is specified in the rpminspect\nconfiguration file. Check this file and send a pull request to the\nappropriate upstream project to update the database. If the license\nis listed in the database but marked unapproved, you may need to work\nwith the legal team regarding options for this software.\n It is not clear to me which/where this license database is or which configuration file is being referred to. So I am hoping someone on this list can point me to that and let me know whether and how to update it to allow GPL-3.0-or-later WITH GCC-exception-2.0. For reference the files in question have this header: This file is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. In addition to the permissions in the GNU General Public License, the Free Software Foundation gives you unlimited permission to link the compiled version of this file into combinations with other programs, and to distribute those combinations without any restriction coming from the use of this file. (The General Public License restrictions do apply in other respects; for example, they cover modification of the file, and distribution when not linked into a combined executable.) Thanks, Mark

3 2

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

legal