incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Shaposhnik <ro...@shaposhnik.org>
Subject Re: [VOTE] HAWQ 2.0.0-beta-incubating RC4
Date Thu, 04 Feb 2016 02:56:42 GMT
Justin,

once again -- thank you so much for your diligent reviews! Wrt.
NOTICE/LICENSE files
can you please take a look at this and see if that's acceptable:
   https://github.com/rvs/incubator-hawq/blob/master/LICENSE
   https://github.com/rvs/incubator-hawq/blob/master/NOTICE

Wrt. crypto code -- you ended up being absolutely right and apologize
for the confusion.
The only thing I can say in my defense is that I got double tripped up by:
     http://www.apache.org/dev/crypto.html#faq-previouslyexported
     http://www.postgresql.org/message-id/CAN1EF+z1B1ecxQ1GYudFo8WBp5+6mfKCQQGu_xVTNzuak9h_oA@mail.gmail.com

At any rate, we're removing the crypto code:
     https://issues.apache.org/jira/browse/HAWQ-394

Hopefully this will take care of your concerns.

Thanks,
Roman.

On Wed, Jan 27, 2016 at 5:12 AM, Justin Mclean <justinmclean@me.com> wrote:
> Hi,
>
>> I think this section of NOTICE is simply not worded well enough.
>
> No problem, if it is not bundled it should be removed, if the wording is wrong it should
be fixed.
>
>> Not it doesn’t.
>
> You might want to double check the files in here:
> ./contrib/pgcrypto
> ./src/interfaces/libpq
>
> Just do a quick search for SSL for instance. Or take a look a contrib/pgcrypto/crypt-blowfish.c
it says "This code comes from John the Ripper password cracker, with reentrant and crypt(3)
interfaces added,” and that looks to be GPL software or I think public domain?  I’d expect
that to be in the LICENSE file. [1] I haven’t looked at everything in detail but there enough
for concern and IMO it needs to be double checked.
>
> Exactly what is covered by "cryptographic functions” I’m not entirely sure. Do we
have somewhere where that is spelt out? For instance is MD5 included in that? (see ./contrib/pgcrypto/crypt-md5.c,
./contrib/pgcrypto/md5.c, ./src/backend/libpq/md5.c) or DES (./contrib/pgcrypto/crypt-des.c)
or SHA2 (./contrib/pgcrypto/sha2.c) or blowfish mentioned above? (and those are not the only
files)
>
>> Apache License  -- no sure what you mean here -- I think we're simply
>> bubbling up the dependencies NOTICEs. Why is that wrong?
>
> Bubbling up NOTICEs is correct but AFAICS you’re not doing that.
>
>> Not sure what do you want us to do to handle that case.
>
> Fix the paths or remove it if it's no longer the case would be best I think.
>
> Thanks,
> Justin
>
> 1. http://www.openwall.com/john/doc/LICENSE.shtml
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message