-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat 05 Oct 2013 07:26:11 AM PDT, Jérémy Bobbio wrote: > Micah Lee: >> Actually, Yan and I just discovered that this release isn't _quite_ >> deterministic. So we'll have to wait for our next release to make the >> announcement. >> >> The build process in the HTTPS Everywhere repository is completely >> deterministic for Firefox, but when we do public releases we run a >> separate unpublished script to make things easier. We didn't update >> this script before making this release, so we'll have to update it >> before the next release before the xpi is actually deterministic. > > Also, I suspect there is a license problem with the new so I'm not going > to update the Debian package for now: >
We also realized this a moment after updating. Currently, it seems like we would need to include a copy of http://www.python.org/download/releases/2.6/license/ in the repository and also "include the notice “"Python" is a registered trademark of the Python Software Foundation” in the appropriate part of your documentation or About box and place the “®” symbol after the first mention of “Python” in your documentation." (https://wiki.python.org/moin/PythonSoftwareFoundationLicenseFaq#If_I_bundle_Python_with_my_application.2C_what_do_I_need_to_include_in_my_software_and.2For_printed_documentation.3F) Actually, does this mean we should have done the latter even before this release if we mentioned Python anywhere in our documentation or comments? > There's no indication of a license for utils/zipfile_deterministic.py > except that it says it's a fork. Fork means that there is an initial > code base, and the latter usually has authors and copyrights. > > Python is crazily versatile. Can't this be fixed by a monkey patch? > If not, could you provide proper license and authorship information? Thanks! The only downside of a monkey patch as far as I can tell is that the build would be a few seconds slower, because we would create a non-deterministic zipped file, canonicalize the zipinfo values, and then write to a new zipfile. But then again, since usually developers don't care about making a deterministic build when testing the extension, this could just be an optional process that happens after the normal build process, taking the zip file created by makexpi.sh as input. I think this is actually a better design, so I'll volunteer to go ahead and change it. - -Yan > > Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSUEj8AAoJENC7YDZD/dnsqvkH/01rMvVGL3rMx75YdUU0s1Zh NG/KRxeTBSp40r2PXXIvsmWJRISE1Qp/4VipbKmaJ7THnj38TTUi2Y1hrVhRIPCT j88i19T3DyFB7MD0b/DLBYZhHElsO06wozu1VrTx0iCAKpu8ZG8zgVryWrx3SFGj Wf7LZVIX0YyLuFPORDA53ddvFxtyspM3j1l1QgGgzFyPcGDSiRo3dAEpCPcoggTW 2ejYxEeWloggv3qEJZNM5vfbJ/xptgQ1qahdzhkO2IPUzBTbefahFRuXn7SWCHQF geDDy/rgRlUEndry3SzhqZurCDQRVYodvKQ2p2VhqTbRjGacNmvFGhPIXVACdVk= =GZd6 -----END PGP SIGNATURE----- _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
