It seems that a significant number of packages bundle Aladdin's md5.c, which is under the zlib license. Even python bundles it (in Modules/md5.c) and dbus at least used to (though I can't find it in 1.4.0; it's still listed as a source file on the dbus web site).
Can we declare this a copylib?
As I look, there are other md5 implementations in the same situation. A quick look found two packages using the public domain implementation by Colin Plumb. Perhaps we should simply exempt them all.
I think this is a somewhat interesting case, because md5sum is unlike to ever change (our usual problem with bundling) and a lot of people need it and so include it. However the bundling is probably less prevalent than a grep would suggest, for instance python actually uses openssl's md5 API only falling back to the bundled version if it is built that way (for systems without openssl).
Also md5 is one of the things that the Fedora security groups need to keep track of usage on ... so if we allow bundling it, it'll just make their job a lot harder.
So I'd vote no on explicitly allowing it.
Replying to [comment:1 james]:
So I'd vote no on explicitly allowing it. And what would you propose as replacement?
Other OSes have libmd (Notabily the BSDs) or have an md* API integrated into its libc. To my knowledge, for reasons unknown to me, Linux doesn't have such thing.
I.e. I don't see an alternative to allowing md5 (and friends - md2, md3, md4 and the sha*'s are in a similar position) as copylibs.
I'd prefer to do nothing, than explicitly say it's a good idea ... at least atm. That way, at least, if the security people go to packages and say "please apply this patch for random govt. security std." they don't all turn around and say "no, FPC said I don't have to".
Do we have any stats. on how many packages are distributing and using their own copies? I'm not sure of an easy way to do this though.
We could go the other way, "requiring" that someone write a API somewhere that people are happy to use (I'd guess it's just an ABI/API issue and it could be a simple wrapper over openssl/nss). I'm not sure how much pain this would be though.
md5 is a copylib, needs to be indicated with specific provides (+1:7, 0:0, -1:1)
Exceptions section updated:
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Packages_granted_exceptions
Announcement text:
Many implementations of md5 originate in a program and then end up copied to other programs with compatible license terms. These implementations have been granted a bundling exception. The usual requirement to set a Virtual Provides: if bundling are in effect and have some special notes due to the many implementations out there. Note that copying the implementation from a library is not covered under this exception.
Metadata Update from @toshio: - Issue assigned to spot
Login to comment on this ticket.