This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 452453

Summary: Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash function
Product: [Fedora] Fedora Reporter: Nigel Jones <dev>
Component: Package ReviewAssignee: Jason Tibbitts <tibbs>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dennis, fedora-package-review, msuchy, notting, ppisar, tcallawa
Target Milestone: ---Flags: ppisar: fedora‑review-
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1172238
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-23 17:41:26 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 182235, 201449, 452450    

Description Nigel Jones 2008-06-22 22:50:37 EDT
Spec URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160.spec
SRPM URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160-0.04-14.fc9.src.rpm
Description: 
The Crypt::RIPEMD160 module allows you to use the RIPEMD160 Message Digest
algorithm from within Perl programs.

Note the bump to -14, it's just so it's > than the version in the Spacewalk repo (I know it's not SOP).
Comment 1 Jason Tibbitts 2008-07-02 13:30:06 EDT
Just to get a note into bugzilla, I'm currently holding off on this because you
asked me to on IRC.  I've started to lose the context now, but it seems there
are some license issues with this code:

[Sun Jun 22 2008] [23:11:20] <tibbs|h>  The license of the RIPEMD160 module is
interesting.
[Sun Jun 22 2008] [23:12:00] <G>        argh, did I miss read one?
[Sun Jun 22 2008] [23:12:39] <tibbs|h>  The C code is just Copyright (c)
Katholieke Universiteit Leuven  1996, All Rights Reserved
[Sun Jun 22 2008] [23:12:51] <tibbs|h>  No license, no distribution rights, no
use rights, nothing.
[Sun Jun 22 2008] [23:13:15] <tibbs|h>  The perl module authors claim that this
doesn't permit its use under GPL or Artistic, but I guess I don't see how.
[Sun Jun 22 2008] [23:13:46] <tibbs|h>  I'll have to ask Legal to double-check.
[Sun Jun 22 2008] [23:14:07] <G>        yeah, by all means
[Sun Jun 22 2008] [23:27:35] <G>        tibbs|h: might want to put
perl-Crypt-RIPEMD on hold, I don't actually know how I missed that

I'll go ahead and ask legal to take a look.
Comment 2 Tom "spot" Callaway 2008-09-02 10:55:05 EDT
I made yet another attempt to contact upstream, and I actually got a response:

*****

Dear Mr. Callaway,

I see no problem in granting Fedora the permission to use
modify, and redistribute this code.

Please let me know if you need any further formal statement about this
from our university, since this would need to pass by our legal council.

Prof. Bart Preneel
-------------------------------------------------------------------------------
Katholieke Universiteit Leuven                       tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC            fax. +32 16 32 19 69
Kasteelpark Arenberg 10 Bus 2446, B-3001 Leuven, BELGIUM

*****

I emailed him back to let him know that we would need a more formal statement, but this looks like something we can get resolved.
Comment 3 Jason Tibbitts 2008-09-02 11:01:31 EDT
*** Bug 460588 has been marked as a duplicate of this bug. ***
Comment 4 Tom "spot" Callaway 2008-10-09 16:16:35 EDT
Still waiting for their more formal statement, sent another email today reminding them that we are waiting.
Comment 5 Tom "spot" Callaway 2008-10-22 17:50:45 EDT
I think I spoke too soon on this one. The lawyers at the Katholieke Universiteit Leuven (the copyright holder) responded that the existing license terms are the terms. I send them an additional request for the terms to be changed, but I never got any response.

I'd strongly encourage Spacewalk to look into porting to some other hash function.
Comment 6 Jason Tibbitts 2008-10-22 18:26:10 EDT
Interesting.  Note that the rmd160.c file included in the Perl module http://search.cpan.org/src/CHGEUER/Crypt-RIPEMD160-0.04/rmd160.c grants no rights at all.  However, the file at http://homes.esat.kuleuven.be/~cosicart/ps/AB-9601/rmd160.c is different and has some sort of advertising clause.

The Perl module includes the following rather odd claim:

"
This copyright does not prohibit distribution of any version of Perl
containing this extension under the terms of the GNU or Artistic
licences.
"

Certainly there's a big mess of confusion surrounding all of this.  Honestly I think this ticket should just be closed unless someone is really willing to untangle all of it.  From what I understand, Spacewalk doesn't need any Perl modules these days anyway, although I think someone should probably check to make sure it isn't incorporating the questionable RIPEMD160 C code in some other fashion.
Comment 7 Nigel Jones 2008-10-22 18:42:26 EDT
I'm happy either way, if it's best to close it, then that's what we should do :)
Comment 8 Petr Pisar 2014-12-10 03:45:04 EST
Setting to fedora-review flag to - per <https://fedoraproject.org/wiki/Package_Review_Process>.