https://bugzilla.redhat.com/show_bug.cgi?id=2350889 --- Comment #2 from Fabio Valentini <decathorpe@xxxxxxxxx> --- (In reply to Ben Beasley from comment #1) > Unfortunately, I found some license issues. > > Package Review > ============== > > It might have also worked to patch the includes/excludes in Cargo.toml. > Formally, rpm holds the position that %exclude was never designed to omit > files > from packaging entirely, only to exclude certain files from a broad pattern > in > one subpackage while including them in another subpackage. In theory, this > might stop working in a future version of rpm; this was already attempted > once. > See https://github.com/rpm-software-management/rpm/issues/994 for details and > discussion. Accordingly, if you can handle this adequately via Cargo.toml > rather than by %exclude, that’s probably safer in the long run, even though > such a change in rpm can’t be expected to hit Fedora without quite a bit of > advance warning. Yeah, I'm aware of this. For changes to Cargo.toml that are upstreamable, I would definitely prefer doing it via include / exclude settings in Cargo.toml, but for a downstream-only change, I feel less strongly about that. Though given unclear status of some test data, excluding those from published crates by pushing a Cargo.toml change upstream might actually be a better idea ... > - README.md acknowledges that the library is based on quirc, > > This library was made on the base of > [quirc](https://github.com/dlbeer/quirc) > > and LICENSE-MIT contains not only the MIT license text, but also the ISC > license text from quirc. > > This feels a little like an effort by upstream to hedge or have it both > ways. > If in fact this crate is (copyright-wise) derived from quirc, then the > license expression should be (MIT OR Apache-2.0) AND ISC. > > It’s probably worth raising the issue with upstream and suggesting that > they > alter the license expression. (It might also make sense to move the ISC > license text to a LICENSE-ISC file, since it’s surprising to find it in a > file named LICENSE-MIT.) Oh, that is sneaky. I'll raise this upstream. > - Most of the test data appears not to have license issues (it looks like it > is > original work of the upstream author), but > tests/data/errors/should-not-panic-2.jpg is a photograph of a computer > screen > clearly displaying a screenshot of a web page, including images and text > with > unknown and presumably proprietary license status. This needs to be > filtered > out from the crate before uploading to the lookaside cache. > > The file tests/data/errors/should-not-panic-1.jpg is a screenshot that > includes a tiny thumbnail image and a very small amount of potentially > legible text. This is less concerning to me because the > questionably-licensed > content is so tiny and minimal, but it’s still probably worth treating it > the > same as tests/data/errors/should-not-panic-2.jpg. > > It’s probably worth raising this issue with upstream as well. I will mention this upstream as well. The safest option might be to exclude all the test data from the tarballs that are published to crates.io. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2350889 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202350889%23c2 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
