This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 452453 - Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash function
Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Extras Quality Assurance
:
: 460588 (view as bug list)
Depends On:
Blocks: FE-Legal FE-DEADREVIEW F-Spacewalk
  Show dependency treegraph
 
Reported: 2008-06-22 22:50 EDT by Nigel Jones
Modified: 2014-12-10 03:45 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-23 17:41:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
ppisar: fedora‑review-


Attachments (Terms of Use)

  None (edit)
Description Nigel Jones 2008-06-22 22:50:37 EDT
Spec URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160.spec
SRPM URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160-0.04-14.fc9.src.rpm
Description: 
The Crypt::RIPEMD160 module allows you to use the RIPEMD160 Message Digest
algorithm from within Perl programs.

Note the bump to -14, it's just so it's > than the version in the Spacewalk repo (I know it's not SOP).
Comment 1 Jason Tibbitts 2008-07-02 13:30:06 EDT
Just to get a note into bugzilla, I'm currently holding off on this because you
asked me to on IRC.  I've started to lose the context now, but it seems there
are some license issues with this code:

[Sun Jun 22 2008] [23:11:20] <tibbs|h>  The license of the RIPEMD160 module is
interesting.
[Sun Jun 22 2008] [23:12:00] <G>        argh, did I miss read one?
[Sun Jun 22 2008] [23:12:39] <tibbs|h>  The C code is just Copyright (c)
Katholieke Universiteit Leuven  1996, All Rights Reserved
[Sun Jun 22 2008] [23:12:51] <tibbs|h>  No license, no distribution rights, no
use rights, nothing.
[Sun Jun 22 2008] [23:13:15] <tibbs|h>  The perl module authors claim that this
doesn't permit its use under GPL or Artistic, but I guess I don't see how.
[Sun Jun 22 2008] [23:13:46] <tibbs|h>  I'll have to ask Legal to double-check.
[Sun Jun 22 2008] [23:14:07] <G>        yeah, by all means
[Sun Jun 22 2008] [23:27:35] <G>        tibbs|h: might want to put
perl-Crypt-RIPEMD on hold, I don't actually know how I missed that

I'll go ahead and ask legal to take a look.
Comment 2 Tom "spot" Callaway 2008-09-02 10:55:05 EDT
I made yet another attempt to contact upstream, and I actually got a response:

*****

Dear Mr. Callaway,

I see no problem in granting Fedora the permission to use
modify, and redistribute this code.

Please let me know if you need any further formal statement about this
from our university, since this would need to pass by our legal council.

Prof. Bart Preneel
-------------------------------------------------------------------------------
Katholieke Universiteit Leuven                       tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC            fax. +32 16 32 19 69
Kasteelpark Arenberg 10 Bus 2446, B-3001 Leuven, BELGIUM

*****

I emailed him back to let him know that we would need a more formal statement, but this looks like something we can get resolved.
Comment 3 Jason Tibbitts 2008-09-02 11:01:31 EDT
*** Bug 460588 has been marked as a duplicate of this bug. ***
Comment 4 Tom "spot" Callaway 2008-10-09 16:16:35 EDT
Still waiting for their more formal statement, sent another email today reminding them that we are waiting.
Comment 5 Tom "spot" Callaway 2008-10-22 17:50:45 EDT
I think I spoke too soon on this one. The lawyers at the Katholieke Universiteit Leuven (the copyright holder) responded that the existing license terms are the terms. I send them an additional request for the terms to be changed, but I never got any response.

I'd strongly encourage Spacewalk to look into porting to some other hash function.
Comment 6 Jason Tibbitts 2008-10-22 18:26:10 EDT
Interesting.  Note that the rmd160.c file included in the Perl module http://search.cpan.org/src/CHGEUER/Crypt-RIPEMD160-0.04/rmd160.c grants no rights at all.  However, the file at http://homes.esat.kuleuven.be/~cosicart/ps/AB-9601/rmd160.c is different and has some sort of advertising clause.

The Perl module includes the following rather odd claim:

"
This copyright does not prohibit distribution of any version of Perl
containing this extension under the terms of the GNU or Artistic
licences.
"

Certainly there's a big mess of confusion surrounding all of this.  Honestly I think this ticket should just be closed unless someone is really willing to untangle all of it.  From what I understand, Spacewalk doesn't need any Perl modules these days anyway, although I think someone should probably check to make sure it isn't incorporating the questionable RIPEMD160 C code in some other fashion.
Comment 7 Nigel Jones 2008-10-22 18:42:26 EDT
I'm happy either way, if it's best to close it, then that's what we should do :)
Comment 8 Petr Pisar 2014-12-10 03:45:04 EST
Setting to fedora-review flag to - per <https://fedoraproject.org/wiki/Package_Review_Process>.

Note You need to log in before you can comment on or make changes to this bug.