[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    Re: OpenSSL and ECC patents (was Re: Mesa in F37- vaapi support disabled for h264/h265/vc1)
From:       "Michael J Gruber" <mjg () fedoraproject ! org>
Date:       2022-09-28 11:15:07
Message-ID: 20220928111507.6217.46418 () mailman01 ! iad2 ! fedoraproject ! org
[Download RAW message or body]

As Fedora users and contributors, we profit a lot from everything that RedHat \
provides to the Fedora project, be it infra, people-power or "leverage" (talking to \
vendors etc.). In turn, RedHat can expect a certain amount of understanding from "us" \
for their business interests, which include legal liabilities, of course.

Understanding is helped greatly by communication, though. Legal answers such as "We \
can not" do not further this understanding, and "We can not and we can not tell you \
why" is not much better, but these are the typical answer we get, not even with a \
"sorry, but we can't". Obviously, these legal questions are difficult to explain, but \
it can't be true that each such case is under a "gag order". This non-transparency is \
orthogonal to our first F and hurts all efforts to increase the number of \
contributors.

Now, I don't expect the communication issue to be resolved any time soon. Therefore \
it's important to work on the other major friction point: How difficult do we make it \
for users/contributors to get the missing bits that they need or can (because they \
are no distributors, in a different jurisdiction etc.)?

rpmfusion/gstreamer is a prime example of how things can work flawlessly, and takes \
into account all interests.

ffmpeg is a prime example of "in your face", of course, and I'm happy to read that it \
may get resolved.

The other big issue are our hobbled sources: We cannot store some original sources in \
the look-aside cache, obviously. But packages such as openssl do not even specify a \
hash nor an url for the un-hobbled sources. This makes it unncessarily difficult to \
verify that our openssl package has indeed been built against against the hobbled \
version of the original sources - for a package like openssl this really is a trust \
issue (and might even violate our packaging guidelines, but I'm not a lawyer...).

As a side effect, it makes it unnecesarily difficult to rebuild the package locally \
(though it does not effectively inhibit it either, of course; it is not an "effective \
measure" for that cause). I do understand that providing a functional link can be \
construed to be "redistribution", but in the context of a spec file, a comment really \
is a reference to the "source of the source", without which we cannot even claim to \
distribute the hobbled version legally (and without which we have no trust chain).

Note that depending on the legal outcome mesa might have to go the hobbled route, \
too: simply disabling the codecs in %build does not change anything about \
redistributing the source. _______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
 Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


[prev in list] [next in list] [prev in thread] [next in thread]