subject:"Re\: Remove file with invalid license"

Re: Remove file with invalid license

2017-12-19 Thread Chris Lemmons

Ah, you are correct, then. I'm not a fan, but I do see the point in
having it brief.

On Tue, Dec 19, 2017 at 10:14 AM, Dan Kirkwood  wrote:
> ```It is important to keep NOTICE as brief and simple as possible, as
> each addition places a burden on downstream consumers.
>
> Do not add anything to NOTICE which is not legally required.
> ```
> https://www.apache.org/dev/licensing-howto.html#mod-notice
> apache.org
> Assembling LICENSE and NOTICE.
> Home page of The Apache Software Foundation
>
> On Tue, Dec 19, 2017 at 10:11 AM, Robert Butts  
> wrote:
>> I don't agree with
>> https://github.com/apache/incubator-trafficcontrol/commit/d7422b3f05f2628de07614efa20799b01cfc1e41
>> "remove from NOTICE to keep it short "
>>
>> While the MIT doesn't require Attribution, Daniel and the SecLists project
>> originally did, it was very specifically licensed "CC Attribution", and
>> they graciously changed for us.
>>
>> It seems rather rude not to include Attribution in accordance with their
>> original wishes, even if we aren't legally required to.
>>
>> Is there a strong objection to keeping the NOTICE Attribution for them?
>>
>>
>> On Tue, Dec 19, 2017 at 9:32 AM, Dave Neuman  wrote:
>>
>>> I merged it, you need to do a backport to 2.1 as well.
>>>
>>> On Tue, Dec 19, 2017 at 9:16 AM, Robert Butts 
>>> wrote:
>>>
>>> > PR updating the license:
>>> > https://github.com/apache/incubator-trafficcontrol/pull/1681
>>> >
>>> > On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons 
>>> wrote:
>>> >
>>> > > https://github.com/danielmiessler/SecLists is now licensed MIT.
>>> > > Thanks, Eric, for talking to Daniel Miessler for us and getting this
>>> > > taken care of!
>>> > >
>>> > > On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons 
>>> > wrote:
>>> > > > Excellent, Eric. That neatly cleans up the problem. I do think we
>>> > > > should merge my PR (1677), regardless, if for no other reason than to
>>> > > > honour the authors' attribution request.
>>> > > >
>>> > > > On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
>>> > > >  wrote:
>>> > > >> I emailed the owner of the password file earlier today and he agreed
>>> > to
>>> > > change or dual-license the project to MIT.
>>> > > >>
>>> > > >> —Eric
>>> > > >>
>>> > > >>> On Dec 18, 2017, at 3:40 PM, Phil Sorber 
>>> wrote:
>>> > > >>>
>>> > > >>> Rob,
>>> > > >>>
>>> > > >>> Just because we remove it for now doesn't mean we have to leave it
>>> > out
>>> > > >>> forever. I encourage you to contribute to the thread on the legal
>>> > > mailing
>>> > > >>> list to make your case or at least get an understanding of their
>>> > > >>> requirements. The ASF does tend to lean toward conservative
>>> > > interpretations.
>>> > > >>>
>>> > > >>> Thanks.
>>> > > >>>
>>> > > >>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts <
>>> > > robert.o.bu...@gmail.com>
>>> > > >>> wrote:
>>> > > >>>
>>> > >  That's correct. No RPM, unfortunately. License is here:
>>> > >  https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>>> > > 
>>> > >  -1 on downloading during rpmbuild, or especially postinstall. Both
>>> > > pose a
>>> > >  security risk. Moreover, it makes our build or install dependent
>>> on
>>> > > the
>>> > >  internet and a particular website. Neither building nor installing
>>> > > should
>>> > >  require either internet or a particular website; we should be
>>> > working
>>> > > to
>>> > >  get away from that, not towards it.
>>> > > 
>>> > >  I'd prefer to find something Apache is ok with vendoring, if we
>>> have
>>> > > to.
>>> > >  Though, ideally we'd keep this one, Daniel Miessler is a
>>> well-known
>>> > > name in
>>> > >  the security community.
>>> > > 
>>> > > 
>>> > >  On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood >> >
>>> > > wrote:
>>> > > 
>>> > > > Thanks,  Eric..Then it's possible we could download it during
>>> > > > rpmbuild or postinstall.
>>> > > >
>>> > > > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>>> > > >  wrote:
>>> > > >> It can be downloaded from Github.
>>> > > >>
>>> > > >> I think this is the file (Rob correct me if I picked the wrong
>>> > >  variant):
>>> > > > https://github.com/danielmiessler/SecLists/blob/
>>> > > > master/Passwords/10_million_password_list_top_10.txt
>>> > > >>
>>> > > >> —Eric
>>> > > >>
>>> > > >> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood >> > > >> > >  dang
>>> > > > o...@gmail.com>> wrote:
>>> > > >>
>>> > > >> Rob,   is there a specific download location for this file?   I
>>> > see
>>> > > it
>>> > > >> referenced as "Projects/OWASP SecLists Project",  but didn't
>>> find
>>> > it
>>> > > >> with a quick search.

Re: Remove file with invalid license

2017-12-19 Thread Dan Kirkwood

```It is important to keep NOTICE as brief and simple as possible, as
each addition places a burden on downstream consumers.

Do not add anything to NOTICE which is not legally required.
```
https://www.apache.org/dev/licensing-howto.html#mod-notice
apache.org
Assembling LICENSE and NOTICE.
Home page of The Apache Software Foundation

On Tue, Dec 19, 2017 at 10:11 AM, Robert Butts  wrote:
> I don't agree with
> https://github.com/apache/incubator-trafficcontrol/commit/d7422b3f05f2628de07614efa20799b01cfc1e41
> "remove from NOTICE to keep it short "
>
> While the MIT doesn't require Attribution, Daniel and the SecLists project
> originally did, it was very specifically licensed "CC Attribution", and
> they graciously changed for us.
>
> It seems rather rude not to include Attribution in accordance with their
> original wishes, even if we aren't legally required to.
>
> Is there a strong objection to keeping the NOTICE Attribution for them?
>
>
> On Tue, Dec 19, 2017 at 9:32 AM, Dave Neuman  wrote:
>
>> I merged it, you need to do a backport to 2.1 as well.
>>
>> On Tue, Dec 19, 2017 at 9:16 AM, Robert Butts 
>> wrote:
>>
>> > PR updating the license:
>> > https://github.com/apache/incubator-trafficcontrol/pull/1681
>> >
>> > On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons 
>> wrote:
>> >
>> > > https://github.com/danielmiessler/SecLists is now licensed MIT.
>> > > Thanks, Eric, for talking to Daniel Miessler for us and getting this
>> > > taken care of!
>> > >
>> > > On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons 
>> > wrote:
>> > > > Excellent, Eric. That neatly cleans up the problem. I do think we
>> > > > should merge my PR (1677), regardless, if for no other reason than to
>> > > > honour the authors' attribution request.
>> > > >
>> > > > On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
>> > > >  wrote:
>> > > >> I emailed the owner of the password file earlier today and he agreed
>> > to
>> > > change or dual-license the project to MIT.
>> > > >>
>> > > >> —Eric
>> > > >>
>> > > >>> On Dec 18, 2017, at 3:40 PM, Phil Sorber 
>> wrote:
>> > > >>>
>> > > >>> Rob,
>> > > >>>
>> > > >>> Just because we remove it for now doesn't mean we have to leave it
>> > out
>> > > >>> forever. I encourage you to contribute to the thread on the legal
>> > > mailing
>> > > >>> list to make your case or at least get an understanding of their
>> > > >>> requirements. The ASF does tend to lean toward conservative
>> > > interpretations.
>> > > >>>
>> > > >>> Thanks.
>> > > >>>
>> > > >>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts <
>> > > robert.o.bu...@gmail.com>
>> > > >>> wrote:
>> > > >>>
>> > >  That's correct. No RPM, unfortunately. License is here:
>> > >  https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>> > > 
>> > >  -1 on downloading during rpmbuild, or especially postinstall. Both
>> > > pose a
>> > >  security risk. Moreover, it makes our build or install dependent
>> on
>> > > the
>> > >  internet and a particular website. Neither building nor installing
>> > > should
>> > >  require either internet or a particular website; we should be
>> > working
>> > > to
>> > >  get away from that, not towards it.
>> > > 
>> > >  I'd prefer to find something Apache is ok with vendoring, if we
>> have
>> > > to.
>> > >  Though, ideally we'd keep this one, Daniel Miessler is a
>> well-known
>> > > name in
>> > >  the security community.
>> > > 
>> > > 
>> > >  On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood > >
>> > > wrote:
>> > > 
>> > > > Thanks,  Eric..Then it's possible we could download it during
>> > > > rpmbuild or postinstall.
>> > > >
>> > > > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>> > > >  wrote:
>> > > >> It can be downloaded from Github.
>> > > >>
>> > > >> I think this is the file (Rob correct me if I picked the wrong
>> > >  variant):
>> > > > https://github.com/danielmiessler/SecLists/blob/
>> > > > master/Passwords/10_million_password_list_top_10.txt
>> > > >>
>> > > >> —Eric
>> > > >>
>> > > >> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood > > > > > >  dang
>> > > > o...@gmail.com>> wrote:
>> > > >>
>> > > >> Rob,   is there a specific download location for this file?   I
>> > see
>> > > it
>> > > >> referenced as "Projects/OWASP SecLists Project",  but didn't
>> find
>> > it
>> > > >> with a quick search.   Is it possible it's provided by an rpm we
>> > > could
>> > > >> list as a dependency rather than including in our source?
>> > > >>
>> > > >> -dan
>> > > >>
>> > > >> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
>> > >  robert.o.bu...@gmail.com
>> > > >

Re: Remove file with invalid license

2017-12-19 Thread Robert Butts

I don't agree with
https://github.com/apache/incubator-trafficcontrol/commit/d7422b3f05f2628de07614efa20799b01cfc1e41
"remove from NOTICE to keep it short "

While the MIT doesn't require Attribution, Daniel and the SecLists project
originally did, it was very specifically licensed "CC Attribution", and
they graciously changed for us.

It seems rather rude not to include Attribution in accordance with their
original wishes, even if we aren't legally required to.

Is there a strong objection to keeping the NOTICE Attribution for them?


On Tue, Dec 19, 2017 at 9:32 AM, Dave Neuman  wrote:

> I merged it, you need to do a backport to 2.1 as well.
>
> On Tue, Dec 19, 2017 at 9:16 AM, Robert Butts 
> wrote:
>
> > PR updating the license:
> > https://github.com/apache/incubator-trafficcontrol/pull/1681
> >
> > On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons 
> wrote:
> >
> > > https://github.com/danielmiessler/SecLists is now licensed MIT.
> > > Thanks, Eric, for talking to Daniel Miessler for us and getting this
> > > taken care of!
> > >
> > > On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons 
> > wrote:
> > > > Excellent, Eric. That neatly cleans up the problem. I do think we
> > > > should merge my PR (1677), regardless, if for no other reason than to
> > > > honour the authors' attribution request.
> > > >
> > > > On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
> > > >  wrote:
> > > >> I emailed the owner of the password file earlier today and he agreed
> > to
> > > change or dual-license the project to MIT.
> > > >>
> > > >> —Eric
> > > >>
> > > >>> On Dec 18, 2017, at 3:40 PM, Phil Sorber 
> wrote:
> > > >>>
> > > >>> Rob,
> > > >>>
> > > >>> Just because we remove it for now doesn't mean we have to leave it
> > out
> > > >>> forever. I encourage you to contribute to the thread on the legal
> > > mailing
> > > >>> list to make your case or at least get an understanding of their
> > > >>> requirements. The ASF does tend to lean toward conservative
> > > interpretations.
> > > >>>
> > > >>> Thanks.
> > > >>>
> > > >>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts <
> > > robert.o.bu...@gmail.com>
> > > >>> wrote:
> > > >>>
> > >  That's correct. No RPM, unfortunately. License is here:
> > >  https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
> > > 
> > >  -1 on downloading during rpmbuild, or especially postinstall. Both
> > > pose a
> > >  security risk. Moreover, it makes our build or install dependent
> on
> > > the
> > >  internet and a particular website. Neither building nor installing
> > > should
> > >  require either internet or a particular website; we should be
> > working
> > > to
> > >  get away from that, not towards it.
> > > 
> > >  I'd prefer to find something Apache is ok with vendoring, if we
> have
> > > to.
> > >  Though, ideally we'd keep this one, Daniel Miessler is a
> well-known
> > > name in
> > >  the security community.
> > > 
> > > 
> > >  On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  >
> > > wrote:
> > > 
> > > > Thanks,  Eric..Then it's possible we could download it during
> > > > rpmbuild or postinstall.
> > > >
> > > > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
> > > >  wrote:
> > > >> It can be downloaded from Github.
> > > >>
> > > >> I think this is the file (Rob correct me if I picked the wrong
> > >  variant):
> > > > https://github.com/danielmiessler/SecLists/blob/
> > > > master/Passwords/10_million_password_list_top_10.txt
> > > >>
> > > >> —Eric
> > > >>
> > > >> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  > >  > >  dang
> > > > o...@gmail.com>> wrote:
> > > >>
> > > >> Rob,   is there a specific download location for this file?   I
> > see
> > > it
> > > >> referenced as "Projects/OWASP SecLists Project",  but didn't
> find
> > it
> > > >> with a quick search.   Is it possible it's provided by an rpm we
> > > could
> > > >> list as a dependency rather than including in our source?
> > > >>
> > > >> -dan
> > > >>
> > > >> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
> > >  robert.o.bu...@gmail.com
> > > > > wrote:
> > > >> I'd really like to keep this, or replace it with a similar file
> > from
> > > >> another source. Which I'd be willing to investigate, if
> necessary.
> > > >>
> > > >> Having a good blacklist of most-common passwords specifically
> puts
> > > > Traffic
> > > >> Ops in compliance with NIST SP 800-63B.
> > > >>
> > > >> I also don't understand the objections, the Apache Legal FAQ
> > >  specifically
> > > >> says CC-SA is permissible, and doesn't say anything about being

Re: Remove file with invalid license

2017-12-19 Thread Dave Neuman

I merged it, you need to do a backport to 2.1 as well.

On Tue, Dec 19, 2017 at 9:16 AM, Robert Butts 
wrote:

> PR updating the license:
> https://github.com/apache/incubator-trafficcontrol/pull/1681
>
> On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons  wrote:
>
> > https://github.com/danielmiessler/SecLists is now licensed MIT.
> > Thanks, Eric, for talking to Daniel Miessler for us and getting this
> > taken care of!
> >
> > On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons 
> wrote:
> > > Excellent, Eric. That neatly cleans up the problem. I do think we
> > > should merge my PR (1677), regardless, if for no other reason than to
> > > honour the authors' attribution request.
> > >
> > > On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
> > >  wrote:
> > >> I emailed the owner of the password file earlier today and he agreed
> to
> > change or dual-license the project to MIT.
> > >>
> > >> —Eric
> > >>
> > >>> On Dec 18, 2017, at 3:40 PM, Phil Sorber  wrote:
> > >>>
> > >>> Rob,
> > >>>
> > >>> Just because we remove it for now doesn't mean we have to leave it
> out
> > >>> forever. I encourage you to contribute to the thread on the legal
> > mailing
> > >>> list to make your case or at least get an understanding of their
> > >>> requirements. The ASF does tend to lean toward conservative
> > interpretations.
> > >>>
> > >>> Thanks.
> > >>>
> > >>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts <
> > robert.o.bu...@gmail.com>
> > >>> wrote:
> > >>>
> >  That's correct. No RPM, unfortunately. License is here:
> >  https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
> > 
> >  -1 on downloading during rpmbuild, or especially postinstall. Both
> > pose a
> >  security risk. Moreover, it makes our build or install dependent on
> > the
> >  internet and a particular website. Neither building nor installing
> > should
> >  require either internet or a particular website; we should be
> working
> > to
> >  get away from that, not towards it.
> > 
> >  I'd prefer to find something Apache is ok with vendoring, if we have
> > to.
> >  Though, ideally we'd keep this one, Daniel Miessler is a well-known
> > name in
> >  the security community.
> > 
> > 
> >  On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood 
> > wrote:
> > 
> > > Thanks,  Eric..Then it's possible we could download it during
> > > rpmbuild or postinstall.
> > >
> > > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
> > >  wrote:
> > >> It can be downloaded from Github.
> > >>
> > >> I think this is the file (Rob correct me if I picked the wrong
> >  variant):
> > > https://github.com/danielmiessler/SecLists/blob/
> > > master/Passwords/10_million_password_list_top_10.txt
> > >>
> > >> —Eric
> > >>
> > >> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  >  >  dang
> > > o...@gmail.com>> wrote:
> > >>
> > >> Rob,   is there a specific download location for this file?   I
> see
> > it
> > >> referenced as "Projects/OWASP SecLists Project",  but didn't find
> it
> > >> with a quick search.   Is it possible it's provided by an rpm we
> > could
> > >> list as a dependency rather than including in our source?
> > >>
> > >> -dan
> > >>
> > >> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
> >  robert.o.bu...@gmail.com
> > > > wrote:
> > >> I'd really like to keep this, or replace it with a similar file
> from
> > >> another source. Which I'd be willing to investigate, if necessary.
> > >>
> > >> Having a good blacklist of most-common passwords specifically puts
> > > Traffic
> > >> Ops in compliance with NIST SP 800-63B.
> > >>
> > >> I also don't understand the objections, the Apache Legal FAQ
> >  specifically
> > >> says CC-SA is permissible, and doesn't say anything about being
> > limited
> > > to
> > >> binary (which would be odd, CC is designed for text, not binary).
> > >> https://www.apache.org/legal/resolved.html#cc-sa
> > >>
> > >> I'd vote we wait for the legal resolution, or find a suitable
> > > replacement,
> > >> in order to remain in NIST compliance.
> > >>
> > >>
> > >> On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
> >  david.neuma...@gmail.com
> > >>
> > >> wrote:
> > >>
> > >> Hey all,
> > >> I don't know if you have been following the release 2.1 thread on
> > the
> > >> incubator list [1] , but we have been given a -1 vote by the IPMC
> > for
> > >> having a file in our release [2] that has an incompatible license.
> >  There
> > >> is some debate about the license, and we have reached out to Legal
> > for
> > > more
>

Re: Remove file with invalid license

2017-12-19 Thread Robert Butts

PR updating the license:
https://github.com/apache/incubator-trafficcontrol/pull/1681

On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons  wrote:

> https://github.com/danielmiessler/SecLists is now licensed MIT.
> Thanks, Eric, for talking to Daniel Miessler for us and getting this
> taken care of!
>
> On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons  wrote:
> > Excellent, Eric. That neatly cleans up the problem. I do think we
> > should merge my PR (1677), regardless, if for no other reason than to
> > honour the authors' attribution request.
> >
> > On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
> >  wrote:
> >> I emailed the owner of the password file earlier today and he agreed to
> change or dual-license the project to MIT.
> >>
> >> —Eric
> >>
> >>> On Dec 18, 2017, at 3:40 PM, Phil Sorber  wrote:
> >>>
> >>> Rob,
> >>>
> >>> Just because we remove it for now doesn't mean we have to leave it out
> >>> forever. I encourage you to contribute to the thread on the legal
> mailing
> >>> list to make your case or at least get an understanding of their
> >>> requirements. The ASF does tend to lean toward conservative
> interpretations.
> >>>
> >>> Thanks.
> >>>
> >>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts <
> robert.o.bu...@gmail.com>
> >>> wrote:
> >>>
>  That's correct. No RPM, unfortunately. License is here:
>  https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
> 
>  -1 on downloading during rpmbuild, or especially postinstall. Both
> pose a
>  security risk. Moreover, it makes our build or install dependent on
> the
>  internet and a particular website. Neither building nor installing
> should
>  require either internet or a particular website; we should be working
> to
>  get away from that, not towards it.
> 
>  I'd prefer to find something Apache is ok with vendoring, if we have
> to.
>  Though, ideally we'd keep this one, Daniel Miessler is a well-known
> name in
>  the security community.
> 
> 
>  On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood 
> wrote:
> 
> > Thanks,  Eric..Then it's possible we could download it during
> > rpmbuild or postinstall.
> >
> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
> >  wrote:
> >> It can be downloaded from Github.
> >>
> >> I think this is the file (Rob correct me if I picked the wrong
>  variant):
> > https://github.com/danielmiessler/SecLists/blob/
> > master/Passwords/10_million_password_list_top_10.txt
> >>
> >> —Eric
> >>
> >> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood    dang
> > o...@gmail.com>> wrote:
> >>
> >> Rob,   is there a specific download location for this file?   I see
> it
> >> referenced as "Projects/OWASP SecLists Project",  but didn't find it
> >> with a quick search.   Is it possible it's provided by an rpm we
> could
> >> list as a dependency rather than including in our source?
> >>
> >> -dan
> >>
> >> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
>  robert.o.bu...@gmail.com
> > > wrote:
> >> I'd really like to keep this, or replace it with a similar file from
> >> another source. Which I'd be willing to investigate, if necessary.
> >>
> >> Having a good blacklist of most-common passwords specifically puts
> > Traffic
> >> Ops in compliance with NIST SP 800-63B.
> >>
> >> I also don't understand the objections, the Apache Legal FAQ
>  specifically
> >> says CC-SA is permissible, and doesn't say anything about being
> limited
> > to
> >> binary (which would be odd, CC is designed for text, not binary).
> >> https://www.apache.org/legal/resolved.html#cc-sa
> >>
> >> I'd vote we wait for the legal resolution, or find a suitable
> > replacement,
> >> in order to remain in NIST compliance.
> >>
> >>
> >> On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
>  david.neuma...@gmail.com
> >>
> >> wrote:
> >>
> >> Hey all,
> >> I don't know if you have been following the release 2.1 thread on
> the
> >> incubator list [1] , but we have been given a -1 vote by the IPMC
> for
> >> having a file in our release [2] that has an incompatible license.
>  There
> >> is some debate about the license, and we have reached out to Legal
> for
> > more
> >> information [3] (thanks Eric!), but we haven't heard back from legal
>  yet.
> >> Instead of waiting for legal to get back to us, I would like to
> propose
> >> that we instead remove this file from our release.  The file in
>  question
> > is
> >> just a list of weak passwords and I feel like we can easily include
> a
> > blank
> >> file, or a file with a

Re: Remove file with invalid license

2017-12-19 Thread Chris Lemmons

https://github.com/danielmiessler/SecLists is now licensed MIT.
Thanks, Eric, for talking to Daniel Miessler for us and getting this
taken care of!

On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons  wrote:
> Excellent, Eric. That neatly cleans up the problem. I do think we
> should merge my PR (1677), regardless, if for no other reason than to
> honour the authors' attribution request.
>
> On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
>  wrote:
>> I emailed the owner of the password file earlier today and he agreed to 
>> change or dual-license the project to MIT.
>>
>> —Eric
>>
>>> On Dec 18, 2017, at 3:40 PM, Phil Sorber  wrote:
>>>
>>> Rob,
>>>
>>> Just because we remove it for now doesn't mean we have to leave it out
>>> forever. I encourage you to contribute to the thread on the legal mailing
>>> list to make your case or at least get an understanding of their
>>> requirements. The ASF does tend to lean toward conservative interpretations.
>>>
>>> Thanks.
>>>
>>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts 
>>> wrote:
>>>
 That's correct. No RPM, unfortunately. License is here:
 https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.

 -1 on downloading during rpmbuild, or especially postinstall. Both pose a
 security risk. Moreover, it makes our build or install dependent on the
 internet and a particular website. Neither building nor installing should
 require either internet or a particular website; we should be working to
 get away from that, not towards it.

 I'd prefer to find something Apache is ok with vendoring, if we have to.
 Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
 the security community.


 On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:

> Thanks,  Eric..Then it's possible we could download it during
> rpmbuild or postinstall.
>
> On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>  wrote:
>> It can be downloaded from Github.
>>
>> I think this is the file (Rob correct me if I picked the wrong
 variant):
> https://github.com/danielmiessler/SecLists/blob/
> master/Passwords/10_million_password_list_top_10.txt
>>
>> —Eric
>>
>> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood >> dang
> o...@gmail.com>> wrote:
>>
>> Rob,   is there a specific download location for this file?   I see it
>> referenced as "Projects/OWASP SecLists Project",  but didn't find it
>> with a quick search.   Is it possible it's provided by an rpm we could
>> list as a dependency rather than including in our source?
>>
>> -dan
>>
>> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
 robert.o.bu...@gmail.com
> > wrote:
>> I'd really like to keep this, or replace it with a similar file from
>> another source. Which I'd be willing to investigate, if necessary.
>>
>> Having a good blacklist of most-common passwords specifically puts
> Traffic
>> Ops in compliance with NIST SP 800-63B.
>>
>> I also don't understand the objections, the Apache Legal FAQ
 specifically
>> says CC-SA is permissible, and doesn't say anything about being limited
> to
>> binary (which would be odd, CC is designed for text, not binary).
>> https://www.apache.org/legal/resolved.html#cc-sa
>>
>> I'd vote we wait for the legal resolution, or find a suitable
> replacement,
>> in order to remain in NIST compliance.
>>
>>
>> On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
 david.neuma...@gmail.com
>>
>> wrote:
>>
>> Hey all,
>> I don't know if you have been following the release 2.1 thread on the
>> incubator list [1] , but we have been given a -1 vote by the IPMC for
>> having a file in our release [2] that has an incompatible license.
 There
>> is some debate about the license, and we have reached out to Legal for
> more
>> information [3] (thanks Eric!), but we haven't heard back from legal
 yet.
>> Instead of waiting for legal to get back to us, I would like to propose
>> that we instead remove this file from our release.  The file in
 question
> is
>> just a list of weak passwords and I feel like we can easily include a
> blank
>> file, or a file with a couple passwords that we generate, and
 individual
>> installs of Traffic Control can replace this file as they see fit.
 This
>> will
>> remove issue of having an incompatible license in our release and
 should
>> also not require us to do a code change.  The downside of removing this
>> file is that we will need to create another 2.1 release candidate and
 go
>> through the vote

Re: Remove file with invalid license

2017-12-18 Thread Chris Lemmons

Excellent, Eric. That neatly cleans up the problem. I do think we
should merge my PR (1677), regardless, if for no other reason than to
honour the authors' attribution request.

On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
 wrote:
> I emailed the owner of the password file earlier today and he agreed to 
> change or dual-license the project to MIT.
>
> —Eric
>
>> On Dec 18, 2017, at 3:40 PM, Phil Sorber  wrote:
>>
>> Rob,
>>
>> Just because we remove it for now doesn't mean we have to leave it out
>> forever. I encourage you to contribute to the thread on the legal mailing
>> list to make your case or at least get an understanding of their
>> requirements. The ASF does tend to lean toward conservative interpretations.
>>
>> Thanks.
>>
>> On Mon, Dec 18, 2017 at 12:08 PM Robert Butts 
>> wrote:
>>
>>> That's correct. No RPM, unfortunately. License is here:
>>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>>>
>>> -1 on downloading during rpmbuild, or especially postinstall. Both pose a
>>> security risk. Moreover, it makes our build or install dependent on the
>>> internet and a particular website. Neither building nor installing should
>>> require either internet or a particular website; we should be working to
>>> get away from that, not towards it.
>>>
>>> I'd prefer to find something Apache is ok with vendoring, if we have to.
>>> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
>>> the security community.
>>>
>>>
>>> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:
>>>
 Thanks,  Eric..Then it's possible we could download it during
 rpmbuild or postinstall.

 On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
  wrote:
> It can be downloaded from Github.
>
> I think this is the file (Rob correct me if I picked the wrong
>>> variant):
 https://github.com/danielmiessler/SecLists/blob/
 master/Passwords/10_million_password_list_top_10.txt
>
> —Eric
>
> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood > dang
 o...@gmail.com>> wrote:
>
> Rob,   is there a specific download location for this file?   I see it
> referenced as "Projects/OWASP SecLists Project",  but didn't find it
> with a quick search.   Is it possible it's provided by an rpm we could
> list as a dependency rather than including in our source?
>
> -dan
>
> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
>>> robert.o.bu...@gmail.com
 > wrote:
> I'd really like to keep this, or replace it with a similar file from
> another source. Which I'd be willing to investigate, if necessary.
>
> Having a good blacklist of most-common passwords specifically puts
 Traffic
> Ops in compliance with NIST SP 800-63B.
>
> I also don't understand the objections, the Apache Legal FAQ
>>> specifically
> says CC-SA is permissible, and doesn't say anything about being limited
 to
> binary (which would be odd, CC is designed for text, not binary).
> https://www.apache.org/legal/resolved.html#cc-sa
>
> I'd vote we wait for the legal resolution, or find a suitable
 replacement,
> in order to remain in NIST compliance.
>
>
> On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
>>> david.neuma...@gmail.com
>
> wrote:
>
> Hey all,
> I don't know if you have been following the release 2.1 thread on the
> incubator list [1] , but we have been given a -1 vote by the IPMC for
> having a file in our release [2] that has an incompatible license.
>>> There
> is some debate about the license, and we have reached out to Legal for
 more
> information [3] (thanks Eric!), but we haven't heard back from legal
>>> yet.
> Instead of waiting for legal to get back to us, I would like to propose
> that we instead remove this file from our release.  The file in
>>> question
 is
> just a list of weak passwords and I feel like we can easily include a
 blank
> file, or a file with a couple passwords that we generate, and
>>> individual
> installs of Traffic Control can replace this file as they see fit.
>>> This
> will
> remove issue of having an incompatible license in our release and
>>> should
> also not require us to do a code change.  The downside of removing this
> file is that we will need to create another 2.1 release candidate and
>>> go
> through the vote process again.  I would really like to see us get 2.1
> released before the end of the year, and at this point our chances are
> looking pretty slim.  So, does anyone object to removing this file from
 our
> release?  If not, I will put an issue into github, remove the file, and
> back port the change so that we can get another 2.1

Re: Remove file with invalid license

2017-12-18 Thread Chris Lemmons

Hrm, automatically downloading a blacklist at install should probably
be a non-starter. It's a security issue waiting to happen, I think.
(Automatically downloading code is the same, and Rob is right, we
should be moving away, not toward that.)

The question really hinges on the definition of "media", which isn't
documented in the resolved FAQ, but does usually mean "binary". If the
author distributed this exact file in gzipped format or as a sqlite
database, for example, it would be fine. (Of course, we can't just
gzip it, because the media has to be unmodified – in the form the
author provided it.)

Still, it's a list of 1,000,000 passwords. It's not really going to be
treated as text or source code in a meaningful way. It's a database of
bad passwords, used properly under license from the author, in the way
the author intended it.

Nevertheless, we are not in compliance with the license as it stands.
We are currently in violation of the attribution requirement. I have
submitted a pull request to remedy this.
https://github.com/apache/incubator-trafficcontrol/pull/1677

On Mon, Dec 18, 2017 at 12:57 PM, Dan Kirkwood  wrote:
> +1
>
> On Mon, Dec 18, 2017 at 12:43 PM, Dave Neuman  wrote:
>> I personally don't want to see us hold up this release any longer,
>> especially for something like this.  If folks really want to use this file,
>> it's easy enough to have puppet put the file in place and use it in your
>> own Traffic Control installation.  We can add documentation suggesting as
>> much as well.  Rob, if you think you can find a suitable replacement in a
>> decent timeframe then be my guest.  Otherwise, I think we should replace
>> the file with a blank file (or create our own version) and move on.
>> If legal comes back and decides the file is ok, we can re-introduce it in
>> the 2.2 release.
>>
>> --Dave
>>
>> On Mon, Dec 18, 2017 at 12:08 PM, Robert Butts 
>> wrote:
>>
>>> That's correct. No RPM, unfortunately. License is here:
>>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>>>
>>> -1 on downloading during rpmbuild, or especially postinstall. Both pose a
>>> security risk. Moreover, it makes our build or install dependent on the
>>> internet and a particular website. Neither building nor installing should
>>> require either internet or a particular website; we should be working to
>>> get away from that, not towards it.
>>>
>>> I'd prefer to find something Apache is ok with vendoring, if we have to.
>>> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
>>> the security community.
>>>
>>>
>>> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:
>>>
>>> > Thanks,  Eric..Then it's possible we could download it during
>>> > rpmbuild or postinstall.
>>> >
>>> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>>> >  wrote:
>>> > > It can be downloaded from Github.
>>> > >
>>> > > I think this is the file (Rob correct me if I picked the wrong
>>> variant):
>>> > https://github.com/danielmiessler/SecLists/blob/
>>> > master/Passwords/10_million_password_list_top_10.txt
>>> > >
>>> > > —Eric
>>> > >
>>> > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood > dang
>>> > o...@gmail.com>> wrote:
>>> > >
>>> > > Rob,   is there a specific download location for this file?   I see it
>>> > > referenced as "Projects/OWASP SecLists Project",  but didn't find it
>>> > > with a quick search.   Is it possible it's provided by an rpm we could
>>> > > list as a dependency rather than including in our source?
>>> > >
>>> > > -dan
>>> > >
>>> > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
>>> robert.o.bu...@gmail.com
>>> > > wrote:
>>> > > I'd really like to keep this, or replace it with a similar file from
>>> > > another source. Which I'd be willing to investigate, if necessary.
>>> > >
>>> > > Having a good blacklist of most-common passwords specifically puts
>>> > Traffic
>>> > > Ops in compliance with NIST SP 800-63B.
>>> > >
>>> > > I also don't understand the objections, the Apache Legal FAQ
>>> specifically
>>> > > says CC-SA is permissible, and doesn't say anything about being limited
>>> > to
>>> > > binary (which would be odd, CC is designed for text, not binary).
>>> > > https://www.apache.org/legal/resolved.html#cc-sa
>>> > >
>>> > > I'd vote we wait for the legal resolution, or find a suitable
>>> > replacement,
>>> > > in order to remain in NIST compliance.
>>> > >
>>> > >
>>> > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
>>> david.neuma...@gmail.com
>>> > >
>>> > > wrote:
>>> > >
>>> > > Hey all,
>>> > > I don't know if you have been following the release 2.1 thread on the
>>> > > incubator list [1] , but we have been given a -1 vote by the IPMC for
>>> > > having a file in our release [2] that has an incompatible license.
>>> There
>>> > > is some debate about the license, and

Re: Remove file with invalid license

2017-12-18 Thread Phil Sorber

Rob,

Just because we remove it for now doesn't mean we have to leave it out
forever. I encourage you to contribute to the thread on the legal mailing
list to make your case or at least get an understanding of their
requirements. The ASF does tend to lean toward conservative interpretations.

Thanks.

On Mon, Dec 18, 2017 at 12:08 PM Robert Butts 
wrote:

> That's correct. No RPM, unfortunately. License is here:
> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>
> -1 on downloading during rpmbuild, or especially postinstall. Both pose a
> security risk. Moreover, it makes our build or install dependent on the
> internet and a particular website. Neither building nor installing should
> require either internet or a particular website; we should be working to
> get away from that, not towards it.
>
> I'd prefer to find something Apache is ok with vendoring, if we have to.
> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
> the security community.
>
>
> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:
>
> > Thanks,  Eric..Then it's possible we could download it during
> > rpmbuild or postinstall.
> >
> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
> >  wrote:
> > > It can be downloaded from Github.
> > >
> > > I think this is the file (Rob correct me if I picked the wrong
> variant):
> > https://github.com/danielmiessler/SecLists/blob/
> > master/Passwords/10_million_password_list_top_10.txt
> > >
> > > —Eric
> > >
> > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  > o...@gmail.com>> wrote:
> > >
> > > Rob,   is there a specific download location for this file?   I see it
> > > referenced as "Projects/OWASP SecLists Project",  but didn't find it
> > > with a quick search.   Is it possible it's provided by an rpm we could
> > > list as a dependency rather than including in our source?
> > >
> > > -dan
> > >
> > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
> robert.o.bu...@gmail.com
> > > wrote:
> > > I'd really like to keep this, or replace it with a similar file from
> > > another source. Which I'd be willing to investigate, if necessary.
> > >
> > > Having a good blacklist of most-common passwords specifically puts
> > Traffic
> > > Ops in compliance with NIST SP 800-63B.
> > >
> > > I also don't understand the objections, the Apache Legal FAQ
> specifically
> > > says CC-SA is permissible, and doesn't say anything about being limited
> > to
> > > binary (which would be odd, CC is designed for text, not binary).
> > > https://www.apache.org/legal/resolved.html#cc-sa
> > >
> > > I'd vote we wait for the legal resolution, or find a suitable
> > replacement,
> > > in order to remain in NIST compliance.
> > >
> > >
> > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
> david.neuma...@gmail.com
> > >
> > > wrote:
> > >
> > > Hey all,
> > > I don't know if you have been following the release 2.1 thread on the
> > > incubator list [1] , but we have been given a -1 vote by the IPMC for
> > > having a file in our release [2] that has an incompatible license.
> There
> > > is some debate about the license, and we have reached out to Legal for
> > more
> > > information [3] (thanks Eric!), but we haven't heard back from legal
> yet.
> > > Instead of waiting for legal to get back to us, I would like to propose
> > > that we instead remove this file from our release.  The file in
> question
> > is
> > > just a list of weak passwords and I feel like we can easily include a
> > blank
> > > file, or a file with a couple passwords that we generate, and
> individual
> > > installs of Traffic Control can replace this file as they see fit.
> This
> > > will
> > > remove issue of having an incompatible license in our release and
> should
> > > also not require us to do a code change.  The downside of removing this
> > > file is that we will need to create another 2.1 release candidate and
> go
> > > through the vote process again.  I would really like to see us get 2.1
> > > released before the end of the year, and at this point our chances are
> > > looking pretty slim.  So, does anyone object to removing this file from
> > our
> > > release?  If not, I will put an issue into github, remove the file, and
> > > back port the change so that we can get another 2.1 release candidate
> > out.
> > >
> > > Thanks,
> > > Dave
> > >
> > >
> > > [1]
> > > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31
> > > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E
> > > [2]
> > > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/
> > > conf/invalid_passwords.txt
> > > [3] https://issues.apache.org/jira/browse/LEGAL-356
> > >
> > >
> >
>

Re: Remove file with invalid license

2017-12-18 Thread Dan Kirkwood

+1

On Mon, Dec 18, 2017 at 12:43 PM, Dave Neuman  wrote:
> I personally don't want to see us hold up this release any longer,
> especially for something like this.  If folks really want to use this file,
> it's easy enough to have puppet put the file in place and use it in your
> own Traffic Control installation.  We can add documentation suggesting as
> much as well.  Rob, if you think you can find a suitable replacement in a
> decent timeframe then be my guest.  Otherwise, I think we should replace
> the file with a blank file (or create our own version) and move on.
> If legal comes back and decides the file is ok, we can re-introduce it in
> the 2.2 release.
>
> --Dave
>
> On Mon, Dec 18, 2017 at 12:08 PM, Robert Butts 
> wrote:
>
>> That's correct. No RPM, unfortunately. License is here:
>> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>>
>> -1 on downloading during rpmbuild, or especially postinstall. Both pose a
>> security risk. Moreover, it makes our build or install dependent on the
>> internet and a particular website. Neither building nor installing should
>> require either internet or a particular website; we should be working to
>> get away from that, not towards it.
>>
>> I'd prefer to find something Apache is ok with vendoring, if we have to.
>> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
>> the security community.
>>
>>
>> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:
>>
>> > Thanks,  Eric..Then it's possible we could download it during
>> > rpmbuild or postinstall.
>> >
>> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>> >  wrote:
>> > > It can be downloaded from Github.
>> > >
>> > > I think this is the file (Rob correct me if I picked the wrong
>> variant):
>> > https://github.com/danielmiessler/SecLists/blob/
>> > master/Passwords/10_million_password_list_top_10.txt
>> > >
>> > > —Eric
>> > >
>> > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  dang
>> > o...@gmail.com>> wrote:
>> > >
>> > > Rob,   is there a specific download location for this file?   I see it
>> > > referenced as "Projects/OWASP SecLists Project",  but didn't find it
>> > > with a quick search.   Is it possible it's provided by an rpm we could
>> > > list as a dependency rather than including in our source?
>> > >
>> > > -dan
>> > >
>> > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
>> robert.o.bu...@gmail.com
>> > > wrote:
>> > > I'd really like to keep this, or replace it with a similar file from
>> > > another source. Which I'd be willing to investigate, if necessary.
>> > >
>> > > Having a good blacklist of most-common passwords specifically puts
>> > Traffic
>> > > Ops in compliance with NIST SP 800-63B.
>> > >
>> > > I also don't understand the objections, the Apache Legal FAQ
>> specifically
>> > > says CC-SA is permissible, and doesn't say anything about being limited
>> > to
>> > > binary (which would be odd, CC is designed for text, not binary).
>> > > https://www.apache.org/legal/resolved.html#cc-sa
>> > >
>> > > I'd vote we wait for the legal resolution, or find a suitable
>> > replacement,
>> > > in order to remain in NIST compliance.
>> > >
>> > >
>> > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
>> david.neuma...@gmail.com
>> > >
>> > > wrote:
>> > >
>> > > Hey all,
>> > > I don't know if you have been following the release 2.1 thread on the
>> > > incubator list [1] , but we have been given a -1 vote by the IPMC for
>> > > having a file in our release [2] that has an incompatible license.
>> There
>> > > is some debate about the license, and we have reached out to Legal for
>> > more
>> > > information [3] (thanks Eric!), but we haven't heard back from legal
>> yet.
>> > > Instead of waiting for legal to get back to us, I would like to propose
>> > > that we instead remove this file from our release.  The file in
>> question
>> > is
>> > > just a list of weak passwords and I feel like we can easily include a
>> > blank
>> > > file, or a file with a couple passwords that we generate, and
>> individual
>> > > installs of Traffic Control can replace this file as they see fit.
>> This
>> > > will
>> > > remove issue of having an incompatible license in our release and
>> should
>> > > also not require us to do a code change.  The downside of removing this
>> > > file is that we will need to create another 2.1 release candidate and
>> go
>> > > through the vote process again.  I would really like to see us get 2.1
>> > > released before the end of the year, and at this point our chances are
>> > > looking pretty slim.  So, does anyone object to removing this file from
>> > our
>> > > release?  If not, I will put an issue into github, remove the file, and
>> > > back port the change so that we can get another 2.1 release candidate
>> > out.
>> > >
>> > > Thanks,
>> > > Dave
>> > >

Re: Remove file with invalid license

2017-12-18 Thread Dave Neuman

I personally don't want to see us hold up this release any longer,
especially for something like this.  If folks really want to use this file,
it's easy enough to have puppet put the file in place and use it in your
own Traffic Control installation.  We can add documentation suggesting as
much as well.  Rob, if you think you can find a suitable replacement in a
decent timeframe then be my guest.  Otherwise, I think we should replace
the file with a blank file (or create our own version) and move on.
If legal comes back and decides the file is ok, we can re-introduce it in
the 2.2 release.

--Dave

On Mon, Dec 18, 2017 at 12:08 PM, Robert Butts 
wrote:

> That's correct. No RPM, unfortunately. License is here:
> https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
>
> -1 on downloading during rpmbuild, or especially postinstall. Both pose a
> security risk. Moreover, it makes our build or install dependent on the
> internet and a particular website. Neither building nor installing should
> require either internet or a particular website; we should be working to
> get away from that, not towards it.
>
> I'd prefer to find something Apache is ok with vendoring, if we have to.
> Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
> the security community.
>
>
> On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:
>
> > Thanks,  Eric..Then it's possible we could download it during
> > rpmbuild or postinstall.
> >
> > On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
> >  wrote:
> > > It can be downloaded from Github.
> > >
> > > I think this is the file (Rob correct me if I picked the wrong
> variant):
> > https://github.com/danielmiessler/SecLists/blob/
> > master/Passwords/10_million_password_list_top_10.txt
> > >
> > > —Eric
> > >
> > > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  > o...@gmail.com>> wrote:
> > >
> > > Rob,   is there a specific download location for this file?   I see it
> > > referenced as "Projects/OWASP SecLists Project",  but didn't find it
> > > with a quick search.   Is it possible it's provided by an rpm we could
> > > list as a dependency rather than including in our source?
> > >
> > > -dan
> > >
> > > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts <
> robert.o.bu...@gmail.com
> > > wrote:
> > > I'd really like to keep this, or replace it with a similar file from
> > > another source. Which I'd be willing to investigate, if necessary.
> > >
> > > Having a good blacklist of most-common passwords specifically puts
> > Traffic
> > > Ops in compliance with NIST SP 800-63B.
> > >
> > > I also don't understand the objections, the Apache Legal FAQ
> specifically
> > > says CC-SA is permissible, and doesn't say anything about being limited
> > to
> > > binary (which would be odd, CC is designed for text, not binary).
> > > https://www.apache.org/legal/resolved.html#cc-sa
> > >
> > > I'd vote we wait for the legal resolution, or find a suitable
> > replacement,
> > > in order to remain in NIST compliance.
> > >
> > >
> > > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman <
> david.neuma...@gmail.com
> > >
> > > wrote:
> > >
> > > Hey all,
> > > I don't know if you have been following the release 2.1 thread on the
> > > incubator list [1] , but we have been given a -1 vote by the IPMC for
> > > having a file in our release [2] that has an incompatible license.
> There
> > > is some debate about the license, and we have reached out to Legal for
> > more
> > > information [3] (thanks Eric!), but we haven't heard back from legal
> yet.
> > > Instead of waiting for legal to get back to us, I would like to propose
> > > that we instead remove this file from our release.  The file in
> question
> > is
> > > just a list of weak passwords and I feel like we can easily include a
> > blank
> > > file, or a file with a couple passwords that we generate, and
> individual
> > > installs of Traffic Control can replace this file as they see fit.
> This
> > > will
> > > remove issue of having an incompatible license in our release and
> should
> > > also not require us to do a code change.  The downside of removing this
> > > file is that we will need to create another 2.1 release candidate and
> go
> > > through the vote process again.  I would really like to see us get 2.1
> > > released before the end of the year, and at this point our chances are
> > > looking pretty slim.  So, does anyone object to removing this file from
> > our
> > > release?  If not, I will put an issue into github, remove the file, and
> > > back port the change so that we can get another 2.1 release candidate
> > out.
> > >
> > > Thanks,
> > > Dave
> > >
> > >
> > > [1]
> > > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31
> > > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E
> > > [2]
> > >

Re: Remove file with invalid license

2017-12-18 Thread Robert Butts

That's correct. No RPM, unfortunately. License is here:
https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.

-1 on downloading during rpmbuild, or especially postinstall. Both pose a
security risk. Moreover, it makes our build or install dependent on the
internet and a particular website. Neither building nor installing should
require either internet or a particular website; we should be working to
get away from that, not towards it.

I'd prefer to find something Apache is ok with vendoring, if we have to.
Though, ideally we'd keep this one, Daniel Miessler is a well-known name in
the security community.


On Mon, Dec 18, 2017 at 11:51 AM, Dan Kirkwood  wrote:

> Thanks,  Eric..Then it's possible we could download it during
> rpmbuild or postinstall.
>
> On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
>  wrote:
> > It can be downloaded from Github.
> >
> > I think this is the file (Rob correct me if I picked the wrong variant):
> https://github.com/danielmiessler/SecLists/blob/
> master/Passwords/10_million_password_list_top_10.txt
> >
> > —Eric
> >
> > On Dec 18, 2017, at 1:38 PM, Dan Kirkwood  o...@gmail.com>> wrote:
> >
> > Rob,   is there a specific download location for this file?   I see it
> > referenced as "Projects/OWASP SecLists Project",  but didn't find it
> > with a quick search.   Is it possible it's provided by an rpm we could
> > list as a dependency rather than including in our source?
> >
> > -dan
> >
> > On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts  > wrote:
> > I'd really like to keep this, or replace it with a similar file from
> > another source. Which I'd be willing to investigate, if necessary.
> >
> > Having a good blacklist of most-common passwords specifically puts
> Traffic
> > Ops in compliance with NIST SP 800-63B.
> >
> > I also don't understand the objections, the Apache Legal FAQ specifically
> > says CC-SA is permissible, and doesn't say anything about being limited
> to
> > binary (which would be odd, CC is designed for text, not binary).
> > https://www.apache.org/legal/resolved.html#cc-sa
> >
> > I'd vote we wait for the legal resolution, or find a suitable
> replacement,
> > in order to remain in NIST compliance.
> >
> >
> > On Mon, Dec 18, 2017 at 10:55 AM, David Neuman  >
> > wrote:
> >
> > Hey all,
> > I don't know if you have been following the release 2.1 thread on the
> > incubator list [1] , but we have been given a -1 vote by the IPMC for
> > having a file in our release [2] that has an incompatible license.  There
> > is some debate about the license, and we have reached out to Legal for
> more
> > information [3] (thanks Eric!), but we haven't heard back from legal yet.
> > Instead of waiting for legal to get back to us, I would like to propose
> > that we instead remove this file from our release.  The file in question
> is
> > just a list of weak passwords and I feel like we can easily include a
> blank
> > file, or a file with a couple passwords that we generate, and individual
> > installs of Traffic Control can replace this file as they see fit.  This
> > will
> > remove issue of having an incompatible license in our release and should
> > also not require us to do a code change.  The downside of removing this
> > file is that we will need to create another 2.1 release candidate and go
> > through the vote process again.  I would really like to see us get 2.1
> > released before the end of the year, and at this point our chances are
> > looking pretty slim.  So, does anyone object to removing this file from
> our
> > release?  If not, I will put an issue into github, remove the file, and
> > back port the change so that we can get another 2.1 release candidate
> out.
> >
> > Thanks,
> > Dave
> >
> >
> > [1]
> > https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31
> > a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E
> > [2]
> > apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/
> > conf/invalid_passwords.txt
> > [3] https://issues.apache.org/jira/browse/LEGAL-356
> >
> >
>

Re: Remove file with invalid license

2017-12-18 Thread Dan Kirkwood

Thanks,  Eric..Then it's possible we could download it during
rpmbuild or postinstall.

On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
 wrote:
> It can be downloaded from Github.
>
> I think this is the file (Rob correct me if I picked the wrong variant): 
> https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_10.txt
>
> —Eric
>
> On Dec 18, 2017, at 1:38 PM, Dan Kirkwood 
> > wrote:
>
> Rob,   is there a specific download location for this file?   I see it
> referenced as "Projects/OWASP SecLists Project",  but didn't find it
> with a quick search.   Is it possible it's provided by an rpm we could
> list as a dependency rather than including in our source?
>
> -dan
>
> On Mon, Dec 18, 2017 at 11:11 AM, Robert Butts 
> > wrote:
> I'd really like to keep this, or replace it with a similar file from
> another source. Which I'd be willing to investigate, if necessary.
>
> Having a good blacklist of most-common passwords specifically puts Traffic
> Ops in compliance with NIST SP 800-63B.
>
> I also don't understand the objections, the Apache Legal FAQ specifically
> says CC-SA is permissible, and doesn't say anything about being limited to
> binary (which would be odd, CC is designed for text, not binary).
> https://www.apache.org/legal/resolved.html#cc-sa
>
> I'd vote we wait for the legal resolution, or find a suitable replacement,
> in order to remain in NIST compliance.
>
>
> On Mon, Dec 18, 2017 at 10:55 AM, David Neuman 
> wrote:
>
> Hey all,
> I don't know if you have been following the release 2.1 thread on the
> incubator list [1] , but we have been given a -1 vote by the IPMC for
> having a file in our release [2] that has an incompatible license.  There
> is some debate about the license, and we have reached out to Legal for more
> information [3] (thanks Eric!), but we haven't heard back from legal yet.
> Instead of waiting for legal to get back to us, I would like to propose
> that we instead remove this file from our release.  The file in question is
> just a list of weak passwords and I feel like we can easily include a blank
> file, or a file with a couple passwords that we generate, and individual
> installs of Traffic Control can replace this file as they see fit.  This
> will
> remove issue of having an incompatible license in our release and should
> also not require us to do a code change.  The downside of removing this
> file is that we will need to create another 2.1 release candidate and go
> through the vote process again.  I would really like to see us get 2.1
> released before the end of the year, and at this point our chances are
> looking pretty slim.  So, does anyone object to removing this file from our
> release?  If not, I will put an issue into github, remove the file, and
> back port the change so that we can get another 2.1 release candidate out.
>
> Thanks,
> Dave
>
>
> [1]
> https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31
> a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E
> [2]
> apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/
> conf/invalid_passwords.txt
> [3] https://issues.apache.org/jira/browse/LEGAL-356
>
>

Re: Remove file with invalid license

2017-12-18 Thread Robert Butts

I'd really like to keep this, or replace it with a similar file from
another source. Which I'd be willing to investigate, if necessary.

Having a good blacklist of most-common passwords specifically puts Traffic
Ops in compliance with NIST SP 800-63B.

I also don't understand the objections, the Apache Legal FAQ specifically
says CC-SA is permissible, and doesn't say anything about being limited to
binary (which would be odd, CC is designed for text, not binary).
https://www.apache.org/legal/resolved.html#cc-sa

I'd vote we wait for the legal resolution, or find a suitable replacement,
in order to remain in NIST compliance.


On Mon, Dec 18, 2017 at 10:55 AM, David Neuman 
wrote:

> Hey all,
> I don't know if you have been following the release 2.1 thread on the
> incubator list [1] , but we have been given a -1 vote by the IPMC for
> having a file in our release [2] that has an incompatible license.  There
> is some debate about the license, and we have reached out to Legal for more
> information [3] (thanks Eric!), but we haven't heard back from legal yet.
> Instead of waiting for legal to get back to us, I would like to propose
> that we instead remove this file from our release.  The file in question is
> just a list of weak passwords and I feel like we can easily include a blank
> file, or a file with a couple passwords that we generate, and individual
> installs of Traffic Control can replace this file as they see fit.  This
> will
> remove issue of having an incompatible license in our release and should
> also not require us to do a code change.  The downside of removing this
> file is that we will need to create another 2.1 release candidate and go
> through the vote process again.  I would really like to see us get 2.1
> released before the end of the year, and at this point our chances are
> looking pretty slim.  So, does anyone object to removing this file from our
> release?  If not, I will put an issue into github, remove the file, and
> back port the change so that we can get another 2.1 release candidate out.
>
> Thanks,
> Dave
>
>
> [1]
> https://lists.apache.org/thread.html/c211f049e3d68af90196c30f6b6d31
> a67b3072029dea1efe7d35c9dc@%3Cdev.trafficcontrol.apache.org%3E
> [2]
> apache-trafficcontrol-2.1.0-incubating/traffic_ops/app/
> conf/invalid_passwords.txt
> [3] https://issues.apache.org/jira/browse/LEGAL-356
>

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

Re: Remove file with invalid license

14 matches

Site Navigation

Mail list logo

Footer information