I'd really like to keep this, or replace it with a similar file from another source. Which I'd be willing to investigate, if necessary.
Having a good blacklist of most-common passwords specifically puts Traffic Ops in compliance with NIST SP 800-63B. I also don't understand the objections, the Apache Legal FAQ specifically says CC-SA is permissible, and doesn't say anything about being limited to binary (which would be odd, CC is designed for text, not binary). https://www.apache.org/legal/resolved.html#cc-sa I'd vote we wait for the legal resolution, or find a suitable replacement, in order to remain in NIST compliance. On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <[email protected]> wrote: > Hey all, > I don't know if you have been following the release 2.1 thread on the > incubator list [1] , but we have been given a -1 vote by the IPMC for > having a file in our release [2] that has an incompatible license. There > is some debate about the license, and we have reached out to Legal for more > information [3] (thanks Eric!), but we haven't heard back from legal yet. > Instead of waiting for legal to get back to us, I would like to propose > that we instead remove this file from our release. The file in question is > just a list of weak passwords and I feel like we can easily include a blank > file, or a file with a couple passwords that we generate, and individual > installs of Traffic Control can replace this file as they see fit. This > will > remove issue of having an incompatible license in our release and should > also not require us to do a code change. The downside of removing this > file is that we will need to create another 2.1 release candidate and go > through the vote process again. I would really like to see us get 2.1 > released before the end of the year, and at this point our chances are > looking pretty slim. So, does anyone object to removing this file from our > release? If not, I will put an issue into github, remove the file, and > back port the change so that we can get another 2.1 release candidate out. > > Thanks, > Dave > > > [1] > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31 > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E > [2] > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/ > conf/invalid_passwords.txt > [3] https://issues.apache.org/jira/browse/LEGAL-356 >
