On Fri, Jan 16, 2026 at 7:19 AM Rodolfo Olivieri rolivier@redhat.com wrote:

Hi, folks!

Looking at the dependency tree of Goose, I saw that they were pulling a package that was not needed for their application, thus, pulling *tiny-keccak* as part of it. I just disabled the default-features for that single dependency and now *tiny-keccak *is not present anymore 🎉

Still, regarding *constant_time_eq*, if my understanding is correct, since it's multi-licensed we are fine in this case?

Yes, just make sure to omit CC0-1.0 as a choice for code. If non-code stuff is CC0, then the license is still valid and must be identified.

I do recommend that you package the dependencies individually though, otherwise it's going to be messy when it comes to auditing, fixing, and upgrading dependencies.