[Buildroot] [PATCH 1/4] python-pycryptodomex: new package
Arnout Vandecappelle
arnout at mind.be
Wed Oct 10 21:13:40 UTC 2018
On 9/10/18 22:19, Yann E. MORIN wrote:
> Thomas, Asaf, All,
>
> On 2018-10-09 15:56 +0200, Thomas Petazzoni spake thusly:
>> On Sat, 22 Sep 2018 22:36:28 +0300, Asaf Kahlon wrote:
>>> Cryptographic library for Python
>>> +PYTHON_PYCRYPTODOMEX_LICENSE = Apache-2.0
>>
>> I am not sure this is an accurate description of the license terms.
>> Reading https://pycryptodome.readthedocs.io/en/latest/src/license.html
>> (which is the same as the LICENSE.rst you use as a license file), it
>> says:
>>
>> """
>> The source code in PyCryptodome is partially in the public domain and
>> partially released under the BSD 2-Clause license.
>> """
>>
>> There is also the text of the Apache 2.0 license, but it doesn't say to
>> which part of the code it applies.
>
> It states: Apache 2.0 license (Wycheproof)
> And by grepping the source tree, it seems that 'Wycheproof' is the
> slef-test test harness, as we can only find it in lib/Crypto/SelfTest/
> and in setup.py, supposedly to ignore warnign from said test harness, and
> to list it as the data to package.
>
> So, I think we can ignore the Apache-2.0 license, as it does not cover
> stuff that goes on the target.
Ack that. Si Apache-2.0 is definitely wrong.
>> And there is a special constraint for the OCB cipher, that it cannot be
>> used for military purposes. I am not sure how Debian accepts that, but
>> they do accept it:
>> https://metadata.ftp-master.debian.org/changelogs/main/p/pycryptodome/pycryptodome_3.6.1-2_copyright.
>
> In fact, there are 3 licenses under which OCB is made available;
> http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
>
> * License 1 — License for Open-Source Software Implementations of OCB
> (Jan 9, 2013)
>
> * License 2 — General License for Non-Military Software Implementations
> OCB (Jan 10, 2013).
>
> * License 3 — Patent License for OpenSSL (Nov 13, 2013).
Note that all three of them are *patent* licenses. That's why Debian doesn't
make a problem of it. Debian only uses license 1.
The OCB *code* is all under BSD-2-Clause, as far as I can see. There are
actually 2 implementations: one in python that does not come from pycrypto
AFAICS, and one from libtom.
>
> As far as I understand the licensing terms, OCB is available udner any
> license to the choosing of the user of OCB. The pycryptodome developpers
> have not choosen a license, and instead decided to propagate that choice
> down to the user of pycryptodome.
Ack.
>
>> Yann, Arnout, I'm interested by your opinion on this package.
>
> So, I would state something like:
>
> PYTHON_PYCRYPTODOMEX_LICENSE = \
> BSD-2c, \
BSD-2-Clause
> Public Domain (pycrypto original code), \
> OCB license (OCB cypher)
I would clarify this as "OCB patent license". The (OCB cypher) is not really
useful IMO. Anyway OCB is not a cipher, it's a mode.
In terms of license files, in addition to LICENSE.rst, I think we also need
Doc/LEGAL/COPYRIGHT.pycrypto
Regards,
Arnout
>
> Regards,
> Yann E. MORIN.
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
More information about the buildroot
mailing list