Red Hat Bugzilla – Bug 452453
Review Request: perl-Crypt-RIPEMD160 - Perl extension for the RIPEMD-160 Hash function
Last modified: 2014-12-10 03:45:04 EST
Spec URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160.spec
SRPM URL: http://dev.nigelj.com/SRPMS/perl-Crypt-RIPEMD160-0.04-14.fc9.src.rpm
The Crypt::RIPEMD160 module allows you to use the RIPEMD160 Message Digest
algorithm from within Perl programs.
Note the bump to -14, it's just so it's > than the version in the Spacewalk repo (I know it's not SOP).
Just to get a note into bugzilla, I'm currently holding off on this because you
asked me to on IRC. I've started to lose the context now, but it seems there
are some license issues with this code:
[Sun Jun 22 2008] [23:11:20] <tibbs|h> The license of the RIPEMD160 module is
[Sun Jun 22 2008] [23:12:00] <G> argh, did I miss read one?
[Sun Jun 22 2008] [23:12:39] <tibbs|h> The C code is just Copyright (c)
Katholieke Universiteit Leuven 1996, All Rights Reserved
[Sun Jun 22 2008] [23:12:51] <tibbs|h> No license, no distribution rights, no
use rights, nothing.
[Sun Jun 22 2008] [23:13:15] <tibbs|h> The perl module authors claim that this
doesn't permit its use under GPL or Artistic, but I guess I don't see how.
[Sun Jun 22 2008] [23:13:46] <tibbs|h> I'll have to ask Legal to double-check.
[Sun Jun 22 2008] [23:14:07] <G> yeah, by all means
[Sun Jun 22 2008] [23:27:35] <G> tibbs|h: might want to put
perl-Crypt-RIPEMD on hold, I don't actually know how I missed that
I'll go ahead and ask legal to take a look.
I made yet another attempt to contact upstream, and I actually got a response:
Dear Mr. Callaway,
I see no problem in granting Fedora the permission to use
modify, and redistribute this code.
Please let me know if you need any further formal statement about this
from our university, since this would need to pass by our legal council.
Prof. Bart Preneel
Katholieke Universiteit Leuven tel. +32 16 32 11 48
Dept. Electrical Engineering-ESAT / COSIC fax. +32 16 32 19 69
Kasteelpark Arenberg 10 Bus 2446, B-3001 Leuven, BELGIUM
I emailed him back to let him know that we would need a more formal statement, but this looks like something we can get resolved.
*** Bug 460588 has been marked as a duplicate of this bug. ***
Still waiting for their more formal statement, sent another email today reminding them that we are waiting.
I think I spoke too soon on this one. The lawyers at the Katholieke Universiteit Leuven (the copyright holder) responded that the existing license terms are the terms. I send them an additional request for the terms to be changed, but I never got any response.
I'd strongly encourage Spacewalk to look into porting to some other hash function.
Interesting. Note that the rmd160.c file included in the Perl module http://search.cpan.org/src/CHGEUER/Crypt-RIPEMD160-0.04/rmd160.c grants no rights at all. However, the file at http://homes.esat.kuleuven.be/~cosicart/ps/AB-9601/rmd160.c is different and has some sort of advertising clause.
The Perl module includes the following rather odd claim:
This copyright does not prohibit distribution of any version of Perl
containing this extension under the terms of the GNU or Artistic
Certainly there's a big mess of confusion surrounding all of this. Honestly I think this ticket should just be closed unless someone is really willing to untangle all of it. From what I understand, Spacewalk doesn't need any Perl modules these days anyway, although I think someone should probably check to make sure it isn't incorporating the questionable RIPEMD160 C code in some other fashion.
I'm happy either way, if it's best to close it, then that's what we should do :)
Setting to fedora-review flag to - per <https://fedoraproject.org/wiki/Package_Review_Process>.