Hi Fedora Legal! 👋 I have a question about two packages in Fedora that are dependencies for goose, which our (Rodolfo and I's) team are working on packaging for Fedora. They are:
- *constant_time_eq* - https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ - *tiny-keccak - * https://packages.fedoraproject.org/pkgs/rust-tiny-keccak *constant_time_eq*'s upstream states it may be used under CC0, Apache 2.0, or MIT at the user's option: https://github.com/cesarb/constant_time_eq (see README) *tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak Goose is built in Rust, and we're looking at packaging it as a bundle and vendoring dependencies like these. They already exist in Fedora, but not sure what the policy is on pre-existing libraries like these. Questions: - Assuming just because these are already packaged in Fedora, doesn't mean they're ok to vendor in another Fedora package. Correct? - Can we use one of the other licenses for *constant_time_eq* which are acceptable for Fedora packages? Or are there any concerns there? - Do you have any advice on how to handle *tiny-keccak*'s license? Greatly appreciate your help in advance!! Thanks, ~m
-- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
