Hey all,
I don't know if you have been following the release 2.1 thread on the
incubator list [1] , but we have been given a -1 vote by the IPMC for
having a file in our release [2] that has an incompatible license. There
is some debate about the license, and we have reached out to Legal for more
I'd really like to keep this, or replace it with a similar file from
another source. Which I'd be willing to investigate, if necessary.
Having a good blacklist of most-common passwords specifically puts Traffic
Ops in compliance with NIST SP 800-63B.
I also don't understand the objections, the Ap
Rob, is there a specific download location for this file? I see it
referenced as "Projects/OWASP SecLists Project", but didn't find it
with a quick search. Is it possible it's provided by an rpm we could
list as a dependency rather than including in our source?
-dan
On Mon, Dec 18, 2017 at
It can be downloaded from Github.
I think this is the file (Rob correct me if I picked the wrong variant):
https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_10.txt
—Eric
On Dec 18, 2017, at 1:38 PM, Dan Kirkwood
mailto:dang...@gmail.com>> wrote:
Thanks, Eric..Then it's possible we could download it during
rpmbuild or postinstall.
On Mon, Dec 18, 2017 at 11:40 AM, Eric Friedrich (efriedri)
wrote:
> It can be downloaded from Github.
>
> I think this is the file (Rob correct me if I picked the wrong variant):
> https://github.com/dani
That's correct. No RPM, unfortunately. License is here:
https://www.owasp.org/index.php/Projects/OWASP_SecLists_Project.
-1 on downloading during rpmbuild, or especially postinstall. Both pose a
security risk. Moreover, it makes our build or install dependent on the
internet and a particular websi
I personally don't want to see us hold up this release any longer,
especially for something like this. If folks really want to use this file,
it's easy enough to have puppet put the file in place and use it in your
own Traffic Control installation. We can add documentation suggesting as
much as w
+1
On Mon, Dec 18, 2017 at 12:43 PM, Dave Neuman wrote:
> I personally don't want to see us hold up this release any longer,
> especially for something like this. If folks really want to use this file,
> it's easy enough to have puppet put the file in place and use it in your
> own Traffic Contr
Rob,
Just because we remove it for now doesn't mean we have to leave it out
forever. I encourage you to contribute to the thread on the legal mailing
list to make your case or at least get an understanding of their
requirements. The ASF does tend to lean toward conservative interpretations.
Thank
I emailed the owner of the password file earlier today and he agreed to change
or dual-license the project to MIT.
—Eric
> On Dec 18, 2017, at 3:40 PM, Phil Sorber wrote:
>
> Rob,
>
> Just because we remove it for now doesn't mean we have to leave it out
> forever. I encourage you to contrib
Hrm, automatically downloading a blacklist at install should probably
be a non-starter. It's a security issue waiting to happen, I think.
(Automatically downloading code is the same, and Rob is right, we
should be moving away, not toward that.)
The question really hinges on the definition of "medi
Excellent, Eric. That neatly cleans up the problem. I do think we
should merge my PR (1677), regardless, if for no other reason than to
honour the authors' attribution request.
On Mon, Dec 18, 2017 at 1:47 PM, Eric Friedrich (efriedri)
wrote:
> I emailed the owner of the password file earlier tod
https://github.com/danielmiessler/SecLists is now licensed MIT.
Thanks, Eric, for talking to Daniel Miessler for us and getting this
taken care of!
On Mon, Dec 18, 2017 at 1:56 PM, Chris Lemmons wrote:
> Excellent, Eric. That neatly cleans up the problem. I do think we
> should merge my PR (1677)
PR updating the license:
https://github.com/apache/incubator-trafficcontrol/pull/1681
On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons wrote:
> https://github.com/danielmiessler/SecLists is now licensed MIT.
> Thanks, Eric, for talking to Daniel Miessler for us and getting this
> taken care of!
>
I merged it, you need to do a backport to 2.1 as well.
On Tue, Dec 19, 2017 at 9:16 AM, Robert Butts
wrote:
> PR updating the license:
> https://github.com/apache/incubator-trafficcontrol/pull/1681
>
> On Tue, Dec 19, 2017 at 9:13 AM, Chris Lemmons wrote:
>
> > https://github.com/danielmiessler
I don't agree with
https://github.com/apache/incubator-trafficcontrol/commit/d7422b3f05f2628de07614efa20799b01cfc1e41
"remove from NOTICE to keep it short "
While the MIT doesn't require Attribution, Daniel and the SecLists project
originally did, it was very specifically licensed "CC Attribution"
```It is important to keep NOTICE as brief and simple as possible, as
each addition places a burden on downstream consumers.
Do not add anything to NOTICE which is not legally required.
```
https://www.apache.org/dev/licensing-howto.html#mod-notice
apache.org
Assembling LICENSE and NOTICE.
Home pa
Ah, you are correct, then. I'm not a fan, but I do see the point in
having it brief.
On Tue, Dec 19, 2017 at 10:14 AM, Dan Kirkwood wrote:
> ```It is important to keep NOTICE as brief and simple as possible, as
> each addition places a burden on downstream consumers.
>
> Do not add anything to NO
18 matches
Mail list logo