[Bug 2269411] Review Request: bpfman - EBPF Program Manager

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2269411



--- Comment #18 from Fabio Valentini <decathorpe@xxxxxxxxx> ---
Sorry for the delay. Package looks pretty good, with some remaining and / or
new issues:

1. The license tag in the spec file is just "Apache-2.0".
This MUST reflect all statically linked crates, i.e. the summary printed by
%cargo_license_summary (which is itself a summary of the contents of the
LICENSE.dependencies file).

2. The license breakdown still contains crates without license information:

- : ring v0.17.8
- : sigstore_protobuf_specs v0.1.0-rc.2

I suggest that you patch the vendored Cargo.toml for "ring" to remove the
"license-file" metadata and add `license = "ISC AND MIT AND OpenSSL"` instead.

For sigstore_protobuf_specs, it looks like you're vendoring a *very old*
version that still had non-standard license.
The latest versions (published within the last two months) all specify
"Apache-2.0" as their license.

for reference: https://crates.io/crates/sigstore_protobuf_specs/versions

3. "Thanks, this has been quite the pain. bpfman, for the workspace should be
only Apache-2.0. We've modified the specfile to address this and the other
licensing issues."

It's still not clear to me (even after your changes) why the project contains
license texts for BSD-2-Clause and GPL-2.0.
Are you implying these licenses only apply to files that don't end up in the
built package? Have you verified this?

4. You are still bundling a version of the fiat-crypto crate.

This crate contains implementations of elliptic-curve cryptography that is
*NOT* approved to be shipped by Fedora *in any form* (i.e. also not as source
code).

You will need to patch out any references to the p434 curve *before*
compressing the vendor tarball.
You can take the patch from the Fedora package for the crate
(rust-fiat-crypto).

see also:
https://lists.fedoraproject.org/archives/list/legal%40lists.fedoraproject.org/thread/FBZU2X7ZKTK2BVZKBHFUCI44SMY4UQCE/


-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
https://bugzilla.redhat.com/show_bug.cgi?id=2269411

Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202269411%23c18
--
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux