Spec URL: https://eclipseo.fedorapeople.org/for-review/rust-fiat-crypto.spec SRPM URL: https://eclipseo.fedorapeople.org/for-review/rust-fiat-crypto-0.1.8-1.fc36.src.rpm Description: Fiat-crypto generated Rust.Fiat-crypto generated Rust. Fedora Account System Username: eclipseo
Koji scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=75870166
Three comments before a final review: - The crate has been updated to version 0.1.11, please update to that version, if possible. - Re-generate the .spec file with rust2rpm 20. - The Summary and description are nonsense, please improve them (preferably submit those improvements upstream, too).
New Spec URL: https://eclipseo.fedorapeople.org/for-review/rust-fiat-crypto.spec New SRPM URL: https://eclipseo.fedorapeople.org/for-review/rust-fiat-crypto-0.1.17-1.fc37.src.rpm
(In reply to Fabio Valentini from comment #2) > Three comments before a final review: > > - The crate has been updated to version 0.1.11, please update to that > version, if possible. > - Re-generate the .spec file with rust2rpm 20. > - The Summary and description are nonsense, please improve them (preferably > submit those improvements upstream, too). I've updated the SPEC if you want to have a look.
Koji scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=93757768
Package looks good to me, with one exception. The fiat-crypto crate ships implementations of many elliptic curves, some of which aren't explicitly listed as "permitted in Fedora" here: https://fedoraproject.org/wiki/Legal:ECC There has been some discussion about whether any elliptic curves are actually still not "good", but we haven't received any definitive resonses from Red Hat legal: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/IQELSXUUNQFYYQ2JU3NOWLF2TOI7DEYZ/ Looks like the curves implemented in fiat-crypto are: - Curve 25519: listed as OK - p224 / secp224r1: listed as OK - p256 / secp256r1: listed as OK - p384 / secp384r1: listed as OK - p434: not listed as OK; cannot find any documentation or source for this curve - p448 / Curve 448: listed as OK - p521 / secp521r1: listed as OK - secp256k1: listed as OK Blocking FE-Legal. We need to know whether the p434 curve is OK ...
Also sent to the "legal" mailing list, since in my experience the FE-Legal tracker bug is ignored: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/FBZU2X7ZKTK2BVZKBHFUCI44SMY4UQCE/
Finally got an actionable response from Red Hat Legal after asking ** a third time **: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/message/Z3PPWO6KNIPK2BNVNY5QUGJPCFSMO2BO/ The relevant part: > > Ok, so ... I'm pretty sure we actually don't *need* the affected code. > > Would removing all p434 related code from the sources entirely (to be > > on the safe side), and building the package without support for this > > curve, be an acceptable solution until the legal status is cleared up? > Yes, that's an acceptable solution in the meantime. All code related to p434 curve will need to removed from the upstream tarball and the Fedora package can only use a "cleaned" tarball.
I've submitted a new package for the latest version of the fiat-crypto crate where I've tried to implement this approach. Closing this bug as a duplicate since it has not been updated in the last 6 months. *** This bug has been marked as a duplicate of bug 2213270 ***