https://bugzilla.redhat.com/show_bug.cgi?id=2269411 --- Comment #18 from Fabio Valentini <decathorpe@xxxxxxxxx> --- Sorry for the delay. Package looks pretty good, with some remaining and / or new issues: 1. The license tag in the spec file is just "Apache-2.0". This MUST reflect all statically linked crates, i.e. the summary printed by %cargo_license_summary (which is itself a summary of the contents of the LICENSE.dependencies file). 2. The license breakdown still contains crates without license information: - : ring v0.17.8 - : sigstore_protobuf_specs v0.1.0-rc.2 I suggest that you patch the vendored Cargo.toml for "ring" to remove the "license-file" metadata and add `license = "ISC AND MIT AND OpenSSL"` instead. For sigstore_protobuf_specs, it looks like you're vendoring a *very old* version that still had non-standard license. The latest versions (published within the last two months) all specify "Apache-2.0" as their license. for reference: https://crates.io/crates/sigstore_protobuf_specs/versions 3. "Thanks, this has been quite the pain. bpfman, for the workspace should be only Apache-2.0. We've modified the specfile to address this and the other licensing issues." It's still not clear to me (even after your changes) why the project contains license texts for BSD-2-Clause and GPL-2.0. Are you implying these licenses only apply to files that don't end up in the built package? Have you verified this? 4. You are still bundling a version of the fiat-crypto crate. This crate contains implementations of elliptic-curve cryptography that is *NOT* approved to be shipped by Fedora *in any form* (i.e. also not as source code). You will need to patch out any references to the p434 curve *before* compressing the vendor tarball. You can take the patch from the Fedora package for the crate (rust-fiat-crypto). see also: https://lists.fedoraproject.org/archives/list/legal%40lists.fedoraproject.org/thread/FBZU2X7ZKTK2BVZKBHFUCI44SMY4UQCE/ -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2269411 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202269411%23c18 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue