https://bugzilla.redhat.com/show_bug.cgi?id=1310092 Peter Robinson <pbrobinson@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pbrobinson@xxxxxxxxx Blocks| |182235 (FE-Legal) Assignee|hobbes1069@xxxxxxxxx |pbrobinson@xxxxxxxxx --- Comment #37 from Peter Robinson <pbrobinson@xxxxxxxxx> --- I have concerns about the bundled cryptlib: * Some of the included ECC curves haven't been approved (see rhbz 1019390) by legal AFAICT: - Brainpool p256r1 - Brainpool p384r1 - Brainpool p512r1 * The license needs clarification as while it states (http://www.cryptlib.com/security-software/licensing) it's an opensource license it also states " All cryptlib users must have a valid software license. Please contact the cryptlib sales team for further details.". It also states in the COPYING file that the website takes precedence so it could change at any time without our knowledge and the version shipped would have legal issues. Why was this classified as "Not applicable"? I don't see why cryptlib shouldn't be shipped separately [2]. Was there a FPC ticket for this exception? [-]: Package contains no bundled libraries without FPC exception. A few other things to note: * on x86_64 only. It explicitly states in the description "This external device can be another Linux computer dedicated to this task or a Beagle Bone or a Raspberry Pi. (https://crypto-bone.com)" which tells me it should be built on at least ARMv7 otherwise the description is misleading. Also note the architecture Packaging guidelines [1]. I don't see any reason to not build this on all arches. * It packages a zlib, that should be using the distro version * I also, personally, believe it should be running non root as it's own user. No "secure" application should have any need to run as root. But that is my opinion. So I'm going to: * takeover this BZ review * block the package while we confirm the legal details of the ECC curves and license with legal. [1] https://fedoraproject.org/wiki/Packaging:Guidelines#Architecture_Support [2] https://fedoraproject.org/wiki/Bundled_Software_policy Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=182235 [Bug 182235] Fedora Legal Tracker -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/package-review@xxxxxxxxxxxxxxxxxxxxxxx