On Thu, Jan 15, 2026 at 09:51:06AM -0500, Neal Gompa via legal wrote: > On Thu, Jan 15, 2026 at 9:48 AM Máirín Duffy via legal < > [email protected]> wrote: > > > Hi Fedora Legal! 👋 > > > > I have a question about two packages in Fedora that are dependencies for > > goose, which our (Rodolfo and I's) team are working on packaging for > > Fedora. They are: > > > > > > - *constant_time_eq* - > > https://packages.fedoraproject.org/pkgs/rust-constant_time_eq/ > > - *tiny-keccak - * > > https://packages.fedoraproject.org/pkgs/rust-tiny-keccak > > > > *constant_time_eq*'s upstream states it may be used under CC0, Apache > > 2.0, or MIT at the user's option: > > https://github.com/cesarb/constant_time_eq (see README) > > > > *tiny-keccak *is CC0 only, though: https://github.com/debris/tiny-keccak > > > > Goose is built in Rust, and we're looking at packaging it as a bundle and > > vendoring dependencies like these. They already exist in Fedora, but not > > sure what the policy is on pre-existing libraries like these. > > > > Questions: > > > > - Assuming just because these are already packaged in Fedora, doesn't mean > > they're ok to vendor in another Fedora package. Correct? > > > > That is correct. If you're pulling them in normally, they are covered by > the grandfather clause for now, but new stuff (including vendoring) will > need fixes. > > > > - Can we use one of the other licenses for *constant_time_eq* which are > > acceptable for Fedora packages? Or are there any concerns there? > > > > As it is multi-licensed, there's no concern. In practice we'd just consider > CC0 a null option.
And in terms of the RPM License field this means only listing the subset of licenses choices that are permitted in Fedora > > - Do you have any advice on how to handle *tiny-keccak*'s license? > > > > > Ask the upstream to change to a suitable alternative? Usually I suggest MIT > instead. If they accept the change, then you can pull that back into Fedora. There's also MIT-0 / 0BSD as very permissive options if that was their goal in choosing CC0 originally. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
