1460040 – Comply with ASF trademark rules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1460040 - Comply with ASF trademark rules

Summary: Comply with ASF trademark rules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tomcatjss
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Matthew Harmsen
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:	1460037
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-08 21:58 UTC by Matthew Harmsen
Modified:	2017-08-01 21:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:	tomcatjss-7.2.1-6.el7
Doc Type:	Bug Fix
Doc Text:	Cause: JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS was not compliant with ASF trademark rules outlined in http://tomcat.apache.org/legal.html. Consequence: The Apache Tomcat organization insisted that we become compliant with ASF trademark rules. Fix: We made all the agreed upon changes to the README and the spec file so that all information displayed to a user would be in compliance with the ASF trademark rules. Result: JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS is now in compliance with ASF trademark rules.
Clone Of:	1460037
Environment:
Last Closed:	2017-08-01 21:09:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2079	0	normal	SHIPPED_LIVE	tomcatjss bug fix and enhancement update	2017-08-01 18:37:21 UTC

Description Matthew Harmsen 2017-06-08 21:58:54 UTC

+++ This bug was initially created as a clone of Bug #1460037 +++

In order to comply with ASF trademark rules outlined in:

 * http://tomcat.apache.org/legal.html

change the package summary from:

    Summary:  JSSE implementation using JSS for Tomcat

to:

    Summary:  JSS for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS



Similarly, although it is not the first reference, the %description could be changed from:

    %description
    A Java Secure Socket Extension (JSSE) implementation
    using Java Security Services (JSS) for Tomcat 7.
    
    NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
           because it uses an underlying NSS security model rather than the
           OpenSSL security model, so these two packages may not co-exist.

to:

    %description
    A Java Secure Socket Extension (JSSE) implementation
    using Java Security Services (JSS) for Apache Tomcat 7.
    
    NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
           because it uses an underlying NSS security model rather than the
           OpenSSL security model, so these two packages may not co-exist.

Also, if so desired, change the following three changelog entries from:

    - Bugzilla Bug #1198450 - Support for Tomcat 8
    
    - Bugzilla Bug #871171 - Provide Tomcat support for TLS v1.1 and
    
    - PKI TRAC Ticket #283 - Dogtag 10: Integrate Tomcat 6 'tomcatjss.jar' and
      Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

to:

    - Bugzilla Bug #1198450 - Support for Apache Tomcat 8
    
    - Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and
    
    - PKI TRAC Ticket #283 - Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar'
      and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

Finally, the README must also be changed from:

    tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to
    Network Security Services(NSS).

to:

    The tomcatjss package is a Java Secure Socket Extension (JSSE) module for
    Apache Tomcat that uses Java Security Services (JSS), a Java interface to
    Network Security Services (NSS).

Comment 6 Sumedh Sidhaye 2017-06-23 04:08:20 UTC

[root@csqa4-guest01 ~]# rpm -qi tomcatjss
Name        : tomcatjss
Version     : 7.2.1
Release     : 6.el7
Architecture: noarch
Install Date: Sunday 18 June 2017 11:40:57 PM EDT
Group       : System Environment/Libraries
Size        : 51869
License     : LGPLv2+
Signature   : (none)
Source RPM  : tomcatjss-7.2.1-6.el7.src.rpm
Build Date  : Tuesday 13 June 2017 11:21:42 AM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS
Description :
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
       because it uses an underlying NSS security model rather than the
       OpenSSL security model, so these two packages may not co-exist.

The spec file changes are inline with the comments above.

However some of the contents of README file are not inline with the above comments.
Especially text mentioned for sslOptions, ssl2Ciphers etc

Here is what I see the README from srpm:

tomcatjss, a JSSE module for Tomcat that uses JSS, a Java interface to
Network Security Services(NSS). 

tomcatjss defines a number of attributes for a Connector including:

clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.

sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
tomcatjss supports the options: ssl2, ssl3, tls.

ssl2Ciphers: specify a list of SSL2 ciphers that tomcatjss should  accept 
or reject from the client. You can use + to denote "accept", - means "reject".

ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".

tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".

serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.

passwordFile: specify a file in which a password that is required to access
NSS's security database. Each entry in the file needs to appear on its own
line and has the form: token_name=password

certdbDir: specify the directory the NSS security database resides in.

passwordClass: specify the class that will be used to read the password.

sslProtocol: needs to be SSL

sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin

Here is an example of a secure connector:

<Connector port="8443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="SSL"
           scheme="https"
           secure="true"
           keyStoreType="PKCS11"
           maxHttpHeaderSize="8192"
           acceptCount="100"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="false"
           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"
           strictCiphers="false"
           clientAuth="agent"
           clientauth="agent"
           sslOptions="ssl2=true,ssl3=true,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
           certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>

If this is OK for now I can mark this bug as verified, but a need to confirm this before doing that.

Comment 7 Matthew Harmsen 2017-06-23 16:10:56 UTC

Sumedh,

Since you are looking at the tarball inside the SRPM without any patches applied, you are seeing the original text, since RHEL 7.4 only allowed us to re-base tarballs up to a set date; after that point, all changes must be applied via patches which are applied to the fixed tarball.

The changes to the README are enclosed in the patch entitled "tomcatjss-Comply-with-ASF-trademark-rules.patch" and are applied appropriately to "tomcatcatjss-7.2.1-6.el7.noarch.rpm".

Hence, to see the changes in the consumed RPM:

# rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm 
/usr/share/doc/tomcatjss-7.2.1
/usr/share/doc/tomcatjss-7.2.1/LICENSE
/usr/share/doc/tomcatjss-7.2.1/README
/usr/share/java/tomcatjss-7.2.1.jar
/usr/share/java/tomcatjss.jar

If you view "/usr/share/doc/tomcatjss-7.2.1/README" you should see all of the changes documented above.

-- Matt

Comment 8 Asha Akkiangady 2017-06-23 17:39:18 UTC

Thank you Matt.
1. tomcatjss.spec file has following summary:
Summary: JSS Connector for Apache Tomcat, a JSSE module for Apache Tomcat that uses JSS

2. tomcatjss.spec has following description:
%description
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

NOTE: The 'tomcatjss' package conflicts with the 'tomcat-native' package
because it uses an underlying NSS security model rather than the
OpenSSL security model, so these two packages may not co-exist.

3. tomcatjss.spec file %changelog has following changes:
- Bugzilla Bug #1344804 - Build failure on RHEL 7.3
(patch for Bugzilla Bug #1245786 - Build failure on F23 was backported to
RHEL 7 to coincide with Apache Tomcat version change to 7.0.68+)
- Bugzilla Bug #1198450 - Support for Apache Tomcat 8
- Bugzilla Bug #871171 - Provide Apache Tomcat support for TLS v1.1 and
TLS v1.2

https://pagure.io/dogtagpki/issue/283 has the changes:
Dogtag 10: Integrate Apache Tomcat 6 'tomcatjss.jar' and Apache Tomcat 7 'tomcat7jss.jar' in Fedora 18 tomcatjss package

4. README file:
# rpm -qlp tomcatjss-7.2.1-6.el7.noarch.rpm
/usr/share/doc/tomcatjss-7.2.1
/usr/share/doc/tomcatjss-7.2.1/LICENSE
/usr/share/doc/tomcatjss-7.2.1/README
/usr/share/java/tomcatjss-7.2.1.jar
/usr/share/java/tomcatjss.jar

File /usr/share/doc/tomcatjss-7.2.1/README has all the changes for ASF requirement.

JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

JSS Connector for Apache Tomcat defines a number of attributes for a Connector
including:

sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.

ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject"

ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

tlsCiphers: specifies a list of TLS ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

Marking the bug verified.

Comment 9 errata-xmlrpc 2017-08-01 21:09:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2079

Note You need to log in before you can comment on or make changes to this bug.