On Thu, May 7, 2020 at 3:06 AM Mario Limonciello wrote: > there are concerns if this would fit within the DFSG > > https://uefi.org/revocationlistfile
Since it does not include modification permission and several restrictions on redistribution, this license is unlikely to meet the DFSG requirements. I suggest contacting the UEFI folks to ask why these restrictions are needed at all. A regular BSD/MIT license should be enough to meet their purposes. OTOH, I'm not sure if the data meets the requirements for copyrightability, in which case the license would not need to be complied with at all. https://www.debian.org/social_contract#guidelines https://en.wikipedia.org/wiki/Threshold_of_originality > Recently there has been a discussion within upstream fwupd to start including > the UEFI dbx revocation list directly with the fwupd package. This sort of data is liable to be out of date if included in the source code of fwupd, I think this should be separate to fwupd in the same way that tzdata is separate to glibc and DNSSEC root keys are separate to DNS servers and the web PKI CAs should be separate to web browsers. I suggest that fwupd download it directly from the UEFI website and update the copy within the boot firmware that way. > Furthermore, if it is not acceptable to distribute this raw data in Debian, > one of the options being considered is to programmatically re-generate a list > of invalid hashes but without the signatures in the original file. Would > that be acceptable to distribute in Debian instead? I don't think that is meaningfully different to the original files, since it would be derived from the original files? -- bye, pabs https://wiki.debian.org/PaulWise