Bug 452453 - Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash function
Summary: Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash...
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jason Tibbitts
QA Contact: Fedora Extras Quality Assurance
: 460588 (view as bug list)
Depends On:
Blocks: FE-Legal FE-DEADREVIEW F-Spacewalk
TreeView+ depends on / blocked
Reported: 2008-06-23 02:50 UTC by Nigel Jones
Modified: 2014-12-10 08:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-10-23 21:41:26 UTC
Type: ---
ppisar: fedora-review-

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1172238 0 medium CLOSED Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash function 2021-02-22 00:41:40 UTC

Internal Links: 1172238

Description Nigel Jones 2008-06-23 02:50:37 UTC
Spec URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160.spec
SRPM URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160-0.04-14.fc9.src.rpm
The Crypt::RIPEMD160 module allows you to use the RIPEMD160 Message Digest
algorithm from within Perl programs.

Note the bump to -14, it's just so it's > than the version in the Spacewalk repo (I know it's not SOP).

Comment 1 Jason Tibbitts 2008-07-02 17:30:06 UTC
Just to get a note into bugzilla, I'm currently holding off on this because you
asked me to on IRC.  I've started to lose the context now, but it seems there
are some license issues with this code:

[Sun Jun 22 2008] [23:11:20] <tibbs|h>  The license of the RIPEMD160 module is
[Sun Jun 22 2008] [23:12:00] <G>        argh, did I miss read one?
[Sun Jun 22 2008] [23:12:39] <tibbs|h>  The C code is just Copyright (c)
Katholieke Universiteit Leuven  1996, All Rights Reserved
[Sun Jun 22 2008] [23:12:51] <tibbs|h>  No license, no distribution rights, no
use rights, nothing.
[Sun Jun 22 2008] [23:13:15] <tibbs|h>  The perl module authors claim that this
doesn't permit its use under GPL or Artistic, but I guess I don't see how.
[Sun Jun 22 2008] [23:13:46] <tibbs|h>  I'll have to ask Legal to double-check.
[Sun Jun 22 2008] [23:14:07] <G>        yeah, by all means
[Sun Jun 22 2008] [23:27:35] <G>        tibbs|h: might want to put
perl-Crypt-RIPEMD on hold, I don't actually know how I missed that

I'll go ahead and ask legal to take a look.

Comment 2 Tom "spot" Callaway 2008-09-02 14:55:05 UTC
I made yet another attempt to contact upstream, and I actually got a response:


Dear Mr. Callaway,

I see no problem in granting Fedora the permission to use
modify, and redistribute this code.

Please let me know if you need any further formal statement about this
from our university, since this would need to pass by our legal council.

Prof. Bart Preneel
Katholieke Universiteit Leuven                       tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC            fax. +32 16 32 19 69
Kasteelpark Arenberg 10 Bus 2446, B-3001 Leuven, BELGIUM


I emailed him back to let him know that we would need a more formal statement, but this looks like something we can get resolved.

Comment 3 Jason Tibbitts 2008-09-02 15:01:31 UTC
*** Bug 460588 has been marked as a duplicate of this bug. ***

Comment 4 Tom "spot" Callaway 2008-10-09 20:16:35 UTC
Still waiting for their more formal statement, sent another email today reminding them that we are waiting.

Comment 5 Tom "spot" Callaway 2008-10-22 21:50:45 UTC
I think I spoke too soon on this one. The lawyers at the Katholieke Universiteit Leuven (the copyright holder) responded that the existing license terms are the terms. I send them an additional request for the terms to be changed, but I never got any response.

I'd strongly encourage Spacewalk to look into porting to some other hash function.

Comment 6 Jason Tibbitts 2008-10-22 22:26:10 UTC
Interesting.  Note that the rmd160.c file included in the Perl module http://search.cpan.org/src/CHGEUER/Crypt-RIPEMD160-0.04/rmd160.c grants no rights at all.  However, the file at http://homes.esat.kuleuven.be/~cosicart/ps/AB-9601/rmd160.c is different and has some sort of advertising clause.

The Perl module includes the following rather odd claim:

This copyright does not prohibit distribution of any version of Perl
containing this extension under the terms of the GNU or Artistic

Certainly there's a big mess of confusion surrounding all of this.  Honestly I think this ticket should just be closed unless someone is really willing to untangle all of it.  From what I understand, Spacewalk doesn't need any Perl modules these days anyway, although I think someone should probably check to make sure it isn't incorporating the questionable RIPEMD160 C code in some other fashion.

Comment 7 Nigel Jones 2008-10-22 22:42:26 UTC
I'm happy either way, if it's best to close it, then that's what we should do :)

Comment 8 Petr Pisar 2014-12-10 08:45:04 UTC
Setting to fedora-review flag to - per <https://fedoraproject.org/wiki/Package_Review_Process>.

Note You need to log in before you can comment on or make changes to this bug.