Rob, is there a specific download location for this file? I see it referenced as "Projects/OWASP SecLists Project", but didn't find it with a quick search. Is it possible it's provided by an rpm we could list as a dependency rather than including in our source?
-dan On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <[email protected]> wrote: > I'd really like to keep this, or replace it with a similar file from > another source. Which I'd be willing to investigate, if necessary. > > Having a good blacklist of most-common passwords specifically puts Traffic > Ops in compliance with NIST SP 800-63B. > > I also don't understand the objections, the Apache Legal FAQ specifically > says CC-SA is permissible, and doesn't say anything about being limited to > binary (which would be odd, CC is designed for text, not binary). > https://www.apache.org/legal/resolved.html#cc-sa > > I'd vote we wait for the legal resolution, or find a suitable replacement, > in order to remain in NIST compliance. > > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <[email protected]> > wrote: > >> Hey all, >> I don't know if you have been following the release 2.1 thread on the >> incubator list [1] , but we have been given a -1 vote by the IPMC for >> having a file in our release [2] that has an incompatible license. There >> is some debate about the license, and we have reached out to Legal for more >> information [3] (thanks Eric!), but we haven't heard back from legal yet. >> Instead of waiting for legal to get back to us, I would like to propose >> that we instead remove this file from our release. The file in question is >> just a list of weak passwords and I feel like we can easily include a blank >> file, or a file with a couple passwords that we generate, and individual >> installs of Traffic Control can replace this file as they see fit. This >> will >> remove issue of having an incompatible license in our release and should >> also not require us to do a code change. The downside of removing this >> file is that we will need to create another 2.1 release candidate and go >> through the vote process again. I would really like to see us get 2.1 >> released before the end of the year, and at this point our chances are >> looking pretty slim. So, does anyone object to removing this file from our >> release? If not, I will put an issue into github, remove the file, and >> back port the change so that we can get another 2.1 release candidate out. >> >> Thanks, >> Dave >> >> >> [1] >> https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31 >> a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E >> [2] >> apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/ >> conf/invalid_passwords.txt >> [3] https://issues.apache.org/jira/browse/LEGAL-356 >>
