[1/4] python-pycryptodomex: new package

Message ID	20180922193631.14369-1-asafka7@gmail.com
State	Accepted
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Asaf Kahlon <asafka7@gmail.com> To: buildroot@buildroot.org Date: Sat, 22 Sep 2018 22:36:28 +0300 Message-Id: <20180922193631.14369-1-asafka7@gmail.com> Subject: [Buildroot] [PATCH 1/4] python-pycryptodomex: new package Precedence: list Cc: Asaf Kahlon <asafka7@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	[1/4] python-pycryptodomex: new package \| expand [1/4] python-pycryptodomex: new package [2/4] python-ply: new package [3/4] python-pysmi: new package [4/4] python-pysnmp: bump to version 4.4.6

Asaf Kahlon Sept. 22, 2018, 7:36 p.m. UTC

Cryptographic library for Python

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
---
 DEVELOPERS                                         |  1 +
 package/Config.in                                  |  1 +
 package/python-pycryptodomex/Config.in             |  6 ++++++
 .../python-pycryptodomex/python-pycryptodomex.hash |  5 +++++
 .../python-pycryptodomex/python-pycryptodomex.mk   | 14 ++++++++++++++
 5 files changed, 27 insertions(+)
 create mode 100644 package/python-pycryptodomex/Config.in
 create mode 100644 package/python-pycryptodomex/python-pycryptodomex.hash
 create mode 100644 package/python-pycryptodomex/python-pycryptodomex.mk

Thomas Petazzoni Oct. 9, 2018, 1:56 p.m. UTC | #1

Hello,

On Sat, 22 Sep 2018 22:36:28 +0300, Asaf Kahlon wrote:
> Cryptographic library for Python
> 
> Signed-off-by: Asaf Kahlon <asafka7@gmail.com>

Let's add some license experts in the loop.

> +PYTHON_PYCRYPTODOMEX_LICENSE = Apache-2.0

I am not sure this is an accurate description of the license terms.
Reading https://pycryptodome.readthedocs.io/en/latest/src/license.html
(which is the same as the LICENSE.rst you use as a license file), it
says:

"""
The source code in PyCryptodome is partially in the public domain and
partially released under the BSD 2-Clause license.
"""

There is also the text of the Apache 2.0 license, but it doesn't say to
which part of the code it applies.

And there is a special constraint for the OCB cipher, that it cannot be
used for military purposes. I am not sure how Debian accepts that, but
they do accept it:
https://metadata.ftp-master.debian.org/changelogs/main/p/pycryptodome/pycryptodome_3.6.1-2_copyright.

Yann, Arnout, I'm interested by your opinion on this package.

Best regards,

Thomas

Yann E. MORIN Oct. 9, 2018, 8:19 p.m. UTC | #2

Thomas, Asaf, All,

On 2018-10-09 15:56 +0200, Thomas Petazzoni spake thusly:
> On Sat, 22 Sep 2018 22:36:28 +0300, Asaf Kahlon wrote:
> > Cryptographic library for Python
> > +PYTHON_PYCRYPTODOMEX_LICENSE = Apache-2.0
> 
> I am not sure this is an accurate description of the license terms.
> Reading https://pycryptodome.readthedocs.io/en/latest/src/license.html
> (which is the same as the LICENSE.rst you use as a license file), it
> says:
> 
> """
> The source code in PyCryptodome is partially in the public domain and
> partially released under the BSD 2-Clause license.
> """
> 
> There is also the text of the Apache 2.0 license, but it doesn't say to
> which part of the code it applies.

It states:   Apache 2.0 license (Wycheproof)
And by grepping the source tree, it seems that 'Wycheproof' is the
slef-test test harness, as we can only find it in lib/Crypto/SelfTest/
and in setup.py, supposedly to ignore warnign from said test harness, and
to list it as the data to package.

So, I think we can ignore the Apache-2.0 license, as it does not cover
stuff that goes on the target.

> And there is a special constraint for the OCB cipher, that it cannot be
> used for military purposes. I am not sure how Debian accepts that, but
> they do accept it:
> https://metadata.ftp-master.debian.org/changelogs/main/p/pycryptodome/pycryptodome_3.6.1-2_copyright.

In fact, there are 3 licenses under which OCB is made available;
    http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm

  * License 1 — License for Open-Source Software Implementations of OCB
    (Jan 9, 2013)

  * License 2 — General License for Non-Military Software Implementations
    OCB (Jan 10, 2013).

  * License 3 — Patent License for OpenSSL (Nov 13, 2013).

As far as I understand the licensing terms, OCB is available udner any
license to the choosing of the user of OCB. The pycryptodome developpers
have not choosen a license, and instead decided to propagate that choice
down to the user of pycryptodome.

> Yann, Arnout, I'm interested by your opinion on this package.

So, I would state something like:

    PYTHON_PYCRYPTODOMEX_LICENSE = \
        BSD-2c, \
        Public Domain (pycrypto original code), \
        OCB license (OCB cypher)

Regards,
Yann E. MORIN.

Thomas Petazzoni Oct. 10, 2018, 12:28 p.m. UTC | #3

Hello,

On Sat, 22 Sep 2018 22:36:28 +0300, Asaf Kahlon wrote:
> Cryptographic library for Python
> 
> Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
> ---
>  DEVELOPERS                                         |  1 +
>  package/Config.in                                  |  1 +
>  package/python-pycryptodomex/Config.in             |  6 ++++++
>  .../python-pycryptodomex/python-pycryptodomex.hash |  5 +++++
>  .../python-pycryptodomex/python-pycryptodomex.mk   | 14 ++++++++++++++
>  5 files changed, 27 insertions(+)
>  create mode 100644 package/python-pycryptodomex/Config.in
>  create mode 100644 package/python-pycryptodomex/python-pycryptodomex.hash
>  create mode 100644 package/python-pycryptodomex/python-pycryptodomex.mk

Applied to master with the license information fixed, as per the
discussion with Yann.

Thomas

Arnout Vandecappelle Oct. 10, 2018, 9:13 p.m. UTC | #4

On 9/10/18 22:19, Yann E. MORIN wrote:
> Thomas, Asaf, All,
> 
> On 2018-10-09 15:56 +0200, Thomas Petazzoni spake thusly:
>> On Sat, 22 Sep 2018 22:36:28 +0300, Asaf Kahlon wrote:
>>> Cryptographic library for Python
>>> +PYTHON_PYCRYPTODOMEX_LICENSE = Apache-2.0
>>
>> I am not sure this is an accurate description of the license terms.
>> Reading https://pycryptodome.readthedocs.io/en/latest/src/license.html
>> (which is the same as the LICENSE.rst you use as a license file), it
>> says:
>>
>> """
>> The source code in PyCryptodome is partially in the public domain and
>> partially released under the BSD 2-Clause license.
>> """
>>
>> There is also the text of the Apache 2.0 license, but it doesn't say to
>> which part of the code it applies.
> 
> It states:   Apache 2.0 license (Wycheproof)
> And by grepping the source tree, it seems that 'Wycheproof' is the
> slef-test test harness, as we can only find it in lib/Crypto/SelfTest/
> and in setup.py, supposedly to ignore warnign from said test harness, and
> to list it as the data to package.
> 
> So, I think we can ignore the Apache-2.0 license, as it does not cover
> stuff that goes on the target.

 Ack that. Si Apache-2.0 is definitely wrong.


>> And there is a special constraint for the OCB cipher, that it cannot be
>> used for military purposes. I am not sure how Debian accepts that, but
>> they do accept it:
>> https://metadata.ftp-master.debian.org/changelogs/main/p/pycryptodome/pycryptodome_3.6.1-2_copyright.
> 
> In fact, there are 3 licenses under which OCB is made available;
>     http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
> 
>   * License 1 — License for Open-Source Software Implementations of OCB
>     (Jan 9, 2013)
> 
>   * License 2 — General License for Non-Military Software Implementations
>     OCB (Jan 10, 2013).
> 
>   * License 3 — Patent License for OpenSSL (Nov 13, 2013).

 Note that all three of them are *patent* licenses. That's why Debian doesn't
make a problem of it. Debian only uses license 1.

 The OCB *code* is all under BSD-2-Clause, as far as I can see. There are
actually 2 implementations: one in python that does not come from pycrypto
AFAICS, and one from libtom.

> 
> As far as I understand the licensing terms, OCB is available udner any
> license to the choosing of the user of OCB. The pycryptodome developpers
> have not choosen a license, and instead decided to propagate that choice
> down to the user of pycryptodome.

 Ack.

> 
>> Yann, Arnout, I'm interested by your opinion on this package.
> 
> So, I would state something like:
> 
>     PYTHON_PYCRYPTODOMEX_LICENSE = \
>         BSD-2c, \

 BSD-2-Clause

>         Public Domain (pycrypto original code), \
>         OCB license (OCB cypher)

 I would clarify this as "OCB patent license". The (OCB cypher) is not really
useful IMO. Anyway OCB is not a cipher, it's a mode.

 In terms of license files, in addition to LICENSE.rst, I think we also need
Doc/LEGAL/COPYRIGHT.pycrypto

 Regards,
 Arnout

> 
> Regards,
> Yann E. MORIN.
>

Thomas Petazzoni Oct. 11, 2018, 6:54 a.m. UTC | #5

Hello,

On Wed, 10 Oct 2018 23:13:40 +0200, Arnout Vandecappelle wrote:

> >> Yann, Arnout, I'm interested by your opinion on this package.  
> > 
> > So, I would state something like:
> > 
> >     PYTHON_PYCRYPTODOMEX_LICENSE = \
> >         BSD-2c, \  
> 
>  BSD-2-Clause

I fixed that when applying.

> >         Public Domain (pycrypto original code), \
> >         OCB license (OCB cypher)  
> 
>  I would clarify this as "OCB patent license". The (OCB cypher) is not really
> useful IMO. Anyway OCB is not a cipher, it's a mode.
> 
>  In terms of license files, in addition to LICENSE.rst, I think we also need
> Doc/LEGAL/COPYRIGHT.pycrypto

Asaf, could you send a follow-up patch fixing this, according to Arnout
comments ?

Thanks!

Thomas

[1/4] python-pycryptodomex: new package

Commit Message

Comments

Patch