Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=481536 Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |a.badger@xxxxxxxxx --- Comment #11 from Toshio Ernie Kuratomi <a.badger@xxxxxxxxx> 2009-05-27 12:16:04 EDT --- Your comments explain why you've decided to bundle the libraries in with enano. What they do not do is explain how you've mitigated the problems with bundling libraries: 1) Bundling libraries means that whenever a security issue comes up in a library we have to first find the applications that bundle those libraries, then fix the version in that application (which could be an older version or forked from mainline and so not just a matter of applying an update). 2) We have to audit the code to find out if there are licensing issues. With just a quick look at the code, I've found that: * includes/captcha/engine_failsafe.php: is GPL (v2 only) (so Enano as a whole would need to be GPLv2 only, not GPLv2 or later.) * includes/clientside/admin-menu.js: the Tigra Tree Menu should be looked at by spot/FSF. The term "header" needs to be clarified and we need to know if this usage is in compliance. * includes/wikiengine/Render/Plain/Prefilter.php: is licensed under the PHP license v2.0 which is GPL incompatible. So it's use with Enano might not be okay. * includes/graphs.php: is licensed under the PHP license v3.01 whichisGPL incompatible. Once again, this might not be okay. * includes/graphs.php also has this sketchy bit of text: """ // Graph Generator for PHP // Originally located at http://szewo.com/php/graph, but link was broken, so this file was retrieved from: // http://web.archive.org/web/20030130065944/szewo.com/php/graph/graph.class.php3.txt // License unknown, however sources on the web have shown this to be either GPL or public domain. """ If the link is broken and the license is unknown, what leads you to think that the code is public domain? At best some citation is missing. At worst, this has to be removed/remaining pieces will need to be rewritten for Enano. * There are many files that reference external files for the details of their license information, for example GPL-LICENSE.txt Remember, this wasn't an exhaustive search -- it was only a series of quick greps to look for especially problematic files. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Fedora-package-review mailing list Fedora-package-review@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-package-review