So should we cancel this vote and wait for a new RC? On Wed, Feb 3, 2016 at 9:56 PM Roman Shaposhnik <ro...@shaposhnik.org> wrote:
> Justin, > > once again -- thank you so much for your diligent reviews! Wrt. > NOTICE/LICENSE files > can you please take a look at this and see if that's acceptable: > https://github.com/rvs/incubator-hawq/blob/master/LICENSE > https://github.com/rvs/incubator-hawq/blob/master/NOTICE > > Wrt. crypto code -- you ended up being absolutely right and apologize > for the confusion. > The only thing I can say in my defense is that I got double tripped up by: > http://www.apache.org/dev/crypto.html#faq-previouslyexported > > http://www.postgresql.org/message-id/can1ef+z1b1ecxq1gyudfo8wbp5+6mfkcqqgu_xvtnzuak9h...@mail.gmail.com > > At any rate, we're removing the crypto code: > https://issues.apache.org/jira/browse/HAWQ-394 > > Hopefully this will take care of your concerns. > > Thanks, > Roman. > > On Wed, Jan 27, 2016 at 5:12 AM, Justin Mclean <justinmcl...@me.com> > wrote: > > Hi, > > > >> I think this section of NOTICE is simply not worded well enough. > > > > No problem, if it is not bundled it should be removed, if the wording is > wrong it should be fixed. > > > >> Not it doesn’t. > > > > You might want to double check the files in here: > > ./contrib/pgcrypto > > ./src/interfaces/libpq > > > > Just do a quick search for SSL for instance. Or take a look a > contrib/pgcrypto/crypt-blowfish.c it says "This code comes from John the > Ripper password cracker, with reentrant and crypt(3) interfaces added,” and > that looks to be GPL software or I think public domain? I’d expect that to > be in the LICENSE file. [1] I haven’t looked at everything in detail but > there enough for concern and IMO it needs to be double checked. > > > > Exactly what is covered by "cryptographic functions” I’m not entirely > sure. Do we have somewhere where that is spelt out? For instance is MD5 > included in that? (see ./contrib/pgcrypto/crypt-md5.c, > ./contrib/pgcrypto/md5.c, ./src/backend/libpq/md5.c) or DES > (./contrib/pgcrypto/crypt-des.c) or SHA2 (./contrib/pgcrypto/sha2.c) or > blowfish mentioned above? (and those are not the only files) > > > >> Apache License -- no sure what you mean here -- I think we're simply > >> bubbling up the dependencies NOTICEs. Why is that wrong? > > > > Bubbling up NOTICEs is correct but AFAICS you’re not doing that. > > > >> Not sure what do you want us to do to handle that case. > > > > Fix the paths or remove it if it's no longer the case would be best I > think. > > > > Thanks, > > Justin > > > > 1. http://www.openwall.com/john/doc/LICENSE.shtml > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > > For additional commands, e-mail: general-h...@incubator.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
