Hi Fedora Legal! 👋
I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are:
- *constant_time_eq* - https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ - *tiny-keccak - * https://packages.fedoraproject.org/pkgs/rust-tiny-keccak
*constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README)
*tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak
Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these.
Questions:
- Assuming just because these are already packaged in Fedora, doesn't mean they're ok to vendor in another Fedora package. Correct? - Can we use one of the other licenses for *constant_time_eq* which are acceptable for Fedora packages? Or are there any concerns there? - Do you have any advice on how to handle *tiny-keccak*'s license?
Greatly appreciate your help in advance!!
Thanks, ~m
On Thu, Jan 15, 2026 at 9:48 AM Máirín Duffy via legal < legal@lists.fedoraproject.org> wrote:
Hi Fedora Legal! 👋
I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are:
- *constant_time_eq* -
https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/
- *tiny-keccak - *
https://packages.fedoraproject.org/pkgs/rust-tiny-keccak
*constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README)
*tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak
Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these.
Questions:
- Assuming just because these are already packaged in Fedora, doesn't mean
they're ok to vendor in another Fedora package. Correct?
That is correct. If you're pulling them in normally, they are covered by the grandfather clause for now, but new stuff (including vendoring) will need fixes.
- Can we use one of the other licenses for *constant_time_eq* which are
acceptable for Fedora packages? Or are there any concerns there?
As it is multi-licensed, there's no concern. In practice we'd just consider CC0 a null option.
- Do you have any advice on how to handle *tiny-keccak*'s license?
Ask the upstream to change to a suitable alternative? Usually I suggest MIT instead. If they accept the change, then you can pull that back into Fedora.
On Thu, Jan 15, 2026 at 9:51 AM Neal Gompa ngompa13@gmail.com wrote:
- Do you have any advice on how to handle *tiny-keccak*'s license?
Ask the upstream to change to a suitable alternative? Usually I suggest MIT instead. If they accept the change, then you can pull that back into Fedora.
Working on that. It's a cryptographic library though - is there any impact on how we view licensing given a work of that nature?
~m
On Thu, Jan 15, 2026 at 09:51:06AM -0500, Neal Gompa via legal wrote:
On Thu, Jan 15, 2026 at 9:48 AM Máirín Duffy via legal < legal@lists.fedoraproject.org> wrote:
Hi Fedora Legal! 👋
I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are:
- *constant_time_eq* -
https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/
- *tiny-keccak - *
https://packages.fedoraproject.org/pkgs/rust-tiny-keccak
*constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README)
*tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak
Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these.
Questions:
- Assuming just because these are already packaged in Fedora, doesn't mean
they're ok to vendor in another Fedora package. Correct?
That is correct. If you're pulling them in normally, they are covered by the grandfather clause for now, but new stuff (including vendoring) will need fixes.
- Can we use one of the other licenses for *constant_time_eq* which are
acceptable for Fedora packages? Or are there any concerns there?
As it is multi-licensed, there's no concern. In practice we'd just consider CC0 a null option.
And in terms of the RPM License field this means only listing the subset of licenses choices that are permitted in Fedora
- Do you have any advice on how to handle *tiny-keccak*'s license?
Ask the upstream to change to a suitable alternative? Usually I suggest MIT instead. If they accept the change, then you can pull that back into Fedora.
There's also MIT-0 / 0BSD as very permissive options if that was their goal in choosing CC0 originally.
With regards, Daniel
On Thu, Jan 15, 2026 at 10:07 AM Daniel P. Berrangé berrange@redhat.com wrote:
There's also MIT-0 / 0BSD as very permissive options if that was their goal in choosing CC0 originally.
Ooh great suggestion Dan!! I filed a request upstream and also emailed the author with that suggestion (https://github.com/debris/tiny-keccak/issues/62 )
~m
-
Daniel P. Berrangé -
Máirín Duffy -
Neal Gompa