Thanks, Eric.. Then it's possible we could download it during rpmbuild or postinstall.
On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri) <[email protected]> wrote: > It can be downloaded from Github. > > I think this is the file (Rob correct me if I picked the wrong variant): > https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_100000.txt > > —Eric > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood > <[email protected]<mailto:[email protected]>> wrote: > > Rob, is there a specific download location for this file? I see it > referenced as "Projects/OWASP SecLists Project", but didn't find it > with a quick search. Is it possible it's provided by an rpm we could > list as a dependency rather than including in our source? > > -dan > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts > <[email protected]<mailto:[email protected]>> wrote: > I'd really like to keep this, or replace it with a similar file from > another source. Which I'd be willing to investigate, if necessary. > > Having a good blacklist of most-common passwords specifically puts Traffic > Ops in compliance with NIST SP 800-63B. > > I also don't understand the objections, the Apache Legal FAQ specifically > says CC-SA is permissible, and doesn't say anything about being limited to > binary (which would be odd, CC is designed for text, not binary). > https://www.apache.org/legal/resolved.html#cc-sa > > I'd vote we wait for the legal resolution, or find a suitable replacement, > in order to remain in NIST compliance. > > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <[email protected]> > wrote: > > Hey all, > I don't know if you have been following the release 2.1 thread on the > incubator list [1] , but we have been given a -1 vote by the IPMC for > having a file in our release [2] that has an incompatible license. There > is some debate about the license, and we have reached out to Legal for more > information [3] (thanks Eric!), but we haven't heard back from legal yet. > Instead of waiting for legal to get back to us, I would like to propose > that we instead remove this file from our release. The file in question is > just a list of weak passwords and I feel like we can easily include a blank > file, or a file with a couple passwords that we generate, and individual > installs of Traffic Control can replace this file as they see fit. This > will > remove issue of having an incompatible license in our release and should > also not require us to do a code change. The downside of removing this > file is that we will need to create another 2.1 release candidate and go > through the vote process again. I would really like to see us get 2.1 > released before the end of the year, and at this point our chances are > looking pretty slim. So, does anyone object to removing this file from our > release? If not, I will put an issue into github, remove the file, and > back port the change so that we can get another 2.1 release candidate out. > > Thanks, > Dave > > > [1] > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31 > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E > [2] > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/ > conf/invalid_passwords.txt > [3] https://issues.apache.org/jira/browse/LEGAL-356 > >
