On 06/18/2018 03:56 AM, Florian Weimer wrote:
> libxcrypt contains some code from OpenSolaris to implement their
> password hashing. It's licensed under the CDDL:
> * CDDL HEADER START
> * The contents of this file are subject to the terms of the
> * Common Development and Distribution License, Version 1.0 only
> * (the "License"). You may not use this file except in compliance
> * with the License.
> * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
> * or http://www.opensolaris.org/os/licensing
> * See the License for the specific language governing permissions
> * and limitations under the License.
> * When distributing Covered Code, include this CDDL HEADER in each
> * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
> * If applicable, add the following below this CDDL HEADER, with the
> * fields enclosed by brackets "" replaced with your own identifying
> * information: Portions Copyright [yyyy] [name of copyright owner]
> * CDDL HEADER END
> * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
> * Use is subject to license terms.
> The rest of the library is a combination of 3-clause BSD, 2-clause BSD
> (ISC), LGPLv2+, CC0 or a public domain dedication,
> Applications do not link to this code directly, but they will use it
> automatically if needed, e.g. if /etc/shadow contains passwords hashed
> in this way.
> Is this a problem? I think we could patch libxcrypt to remove support
> at run-time if necessary, with little practical impact.
Well, it is a problem for any consumer of libxcrypt that is GPL
licensed. Since it seems quite a lot of things depend on libxcrypt in
Fedora (and it also seems extremely unlikely that Fedora will ever need
to support OpenSolaris password hashing), I would recommend that
libxcrypt be patched to not include that code (a ./configure option that
results in it not being compiled in the library should be sufficient).
If we change libxcrypt not to build the CDDL bits, what should we put
into the RPM License tag? Should we still list the CDDL eventhough it
does not apply to the binaries?