On 17.09.2007 22:30, Tom "spot" Callaway wrote: > Some of Fedora's packages are using an MD5 implementation which is under > a GPLv2/v3 incompatible license, specifically, the RSA implementation > which is under BSD with advertising. Uhhpps. > http://www.tux.org/pub/security/md5/md5.c The requested URL /pub/security/md5/md5.c was not found on this server. > http://www.tux.org/pub/security/md5/md5.h > > We've identified packages which are possibly using this implementation, > and all maintainers are on CC. Please take a moment to look at your > packages and check to see if this md5 implementation is used. > [...] > mail-notification > [...] > > If your package is on this list, please email me back and let me know > once you've checked the md5 implementation. If it is the RSA > implementation, we're going to need to replace it (coreutils has a GPL > compatible implementation that should be a drop in). My package mail-notification is GPL and uses it. :-/ But why are "*we* going to need to replace it"? Is the issue that urgent so there is not even 24 or 72 hours to talk to upstream to make them aware of the issue first? Then maybe upstream can fix it quickly once and for all and for all distributions? Or are we not allowed to talk about this in public bug trackers? CU knurd _______________________________________________ Fedora-legal-list mailing list Fedora-legal-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legal-list
