https://bugzilla.redhat.com/show_bug.cgi?id=2269411 Daniel Mellado <dmellado@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(decathorpe@gmail. | |com) --- Comment #21 from Daniel Mellado <dmellado@xxxxxxxxxx> --- (In reply to Fabio Valentini from comment #18) > Sorry for the delay. Package looks pretty good, with some remaining and / or > new issues: > > 1. The license tag in the spec file is just "Apache-2.0". > This MUST reflect all statically linked crates, i.e. the summary printed by > %cargo_license_summary (which is itself a summary of the contents of the > LICENSE.dependencies file). > > 2. The license breakdown still contains crates without license information: > > - : ring v0.17.8 > - : sigstore_protobuf_specs v0.1.0-rc.2 > > I suggest that you patch the vendored Cargo.toml for "ring" to remove the > "license-file" metadata and add `license = "ISC AND MIT AND OpenSSL"` > instead. > > For sigstore_protobuf_specs, it looks like you're vendoring a *very old* > version that still had non-standard license. > The latest versions (published within the last two months) all specify > "Apache-2.0" as their license. > > for reference: https://crates.io/crates/sigstore_protobuf_specs/versions > > 3. "Thanks, this has been quite the pain. bpfman, for the workspace should > be only Apache-2.0. We've modified the specfile to address this and the > other licensing issues." > > It's still not clear to me (even after your changes) why the project > contains license texts for BSD-2-Clause and GPL-2.0. > Are you implying these licenses only apply to files that don't end up in the > built package? Have you verified this? > > 4. You are still bundling a version of the fiat-crypto crate. > > This crate contains implementations of elliptic-curve cryptography that is > *NOT* approved to be shipped by Fedora *in any form* (i.e. also not as > source code). > > You will need to patch out any references to the p434 curve *before* > compressing the vendor tarball. > You can take the patch from the Fedora package for the crate > (rust-fiat-crypto). > > see also: > https://lists.fedoraproject.org/archives/list/legal%40lists.fedoraproject. > org/thread/FBZU2X7ZKTK2BVZKBHFUCI44SMY4UQCE/ Hi Fabio, thanks for your comments. I've fetched the script in https://koji.fedoraproject.org/koji/fileinfo?rpmID=39412032&filename=0001-remove-references-to-code-related-to-the-p434-curve.patch and applied it the fiat-crypto sources. As we commented over Matrix, I've also removed the commit id from the specfile and now I do mention it directly over the tag. My steps over here are cargo vendor --versioned-dirs <mangle fiat-crypto here> (patch p1 < ) tar -Jcvf vendor/ ../tarball.xz But now, using the updated specfile and vendor here. Spec URL: https://dmellado.fedorapeople.org/bpfman/bpfman.spec SRPM URL: https://dmellado.fedorapeople.org/bpfman/bpfman-0.5.1-vendor.tar.xz I hit an issue about the offline mode (that IIUC it shouldn't be triggered as we're vendoring) https://paste.opendev.org/show/bW7HO1ssP3Xq0M8OCcAF/ Mind taking a look? Thanks! -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2269411 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202269411%23c21 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
