Closed Bug 1621787 Opened 5 years ago Closed 5 years ago

Additional license notices for RNP, Botan, json-c needed by Thunderbird

Categories

(MailNews Core :: Security: OpenPGP, task)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 77.0

People

(Reporter: KaiE, Assigned: rjl)

References

Details

Attachments

(4 files, 1 obsolete file)

Additional license notice for Bzip2
3.62 KB, patch
KaiE
: review+
Details | Diff | Splinter Review
Additional license notice for Json-C
4.04 KB, patch
KaiE
: review+
Details | Diff | Splinter Review
Additional license notice for Botan
3.35 KB, patch
KaiE
: review+
Details | Diff | Splinter Review
Additional license notice for RNP
15.53 KB, patch
KaiE
: review+
Details | Diff | Splinter Review

We need to extend about:license with the license text for the RNP, Botan and json-c libraries. And potentially any additional license that we're importing as a dependency.

An example of how to do that can be found in bug 1519804.

This seems to be the list of licenses that we have to add (pending a check if they are there already):

I believe Rob is also going to import zlib and libbz2. Do we have the licenses for those libraries already covered?

Could someone help with this work, or do you need me to do it?

Rob, can you handle these additions in connection with bug 1519804.

Assignee: nobody → rob

Sure.

Zlib is already in the tree in multiple places, and is only referred to with a link in about:license, so that should be good.
Bzip2 is a modified BSD License.

License text:
https://sourceware.org/git/?p=bzip2.git;a=blob;f=LICENSE;h=81a37eab7a5be1a34456f38adb74928cc9073e9b;hb=HEAD

Bzip2 sources will be added to third_party/bzip2. This is the license text from the current version.
Attachment #9134659 - Flags: review?(kaie)
Json-C sources will be added to third_party/json-c. This is the license text from the current version.
Attachment #9134660 - Flags: review?(kaie)
Attachment #9134659 - Flags: review?(kaie) → review+
Attachment #9134660 - Flags: review?(kaie) → review+
Botan sources will be added to third_party/botan. This is the license text from the current version.
Attachment #9138222 - Flags: review?(kaie)
RNP sources will be added to third_party/rnp. This is the license text from the current version. Also included is the license for use of the patented OCB blockcipher mode.
Attachment #9138223 - Flags: review?(kaie)
Attachment #9138222 - Flags: review?(kaie) → review+

Rob, thanks for working on the RNP license addition. I see you had to add lists of files that belong to one of the various different licenses. I wonder if we'll have to update those lists in the future, whenever we pick up new library versions. Should we have a general tracker for that, that will remind us?

In one of the lists you included a third_party/src prefix, in the other list you excluded that prefix. Was that intentional?

I wonder about the OCB license. To summarize the situation from my understanding (IANAL), OCB is patented, but the patent owner has granted licenses for several purposes, as explained at https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm

One of the licenses, called "License 1", appears to grant a general license for all open source software applications.
We already added OCB license 1 in July 2019, see bug 1519804.

Another license, as included with the RNP code, was specifically granted to RNP, for all users of RNP software.
I wonder if its unnecessary to include the additional RNP OCB license text.
https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md

Ryan, would you like to talk to someone to figure out if we should include both OCB license grants, or just the general OCB License 1?

Flags: needinfo?(ryan)

(In reply to Kai Engert (:KaiE:) from comment #8)

Rob, thanks for working on the RNP license addition. I see you had to add lists of files that belong to one of the various different licenses. I wonder if we'll have to update those lists in the future, whenever we pick up new library versions. Should we have a general tracker for that, that will remind us?

Not sure it will be much of a problem. It looks like anything new that goes in will be only under the Ribose license, the files that I had to call out were the ones with legacy NetPGP licenses.

In one of the lists you included a third_party/src prefix, in the other list you excluded that prefix. Was that intentional?

Nope. Will update.

I wonder about the OCB license. To summarize the situation from my understanding (IANAL), OCB is patented, but the patent owner has granted licenses for several purposes, as explained at https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm

Yeah I was looking at that. I chose to include it since the Ribose team thought it was important enough to go and get the author to do a special arrangement for RNP. Maybe we include it for now and if Ryan checks with legal and they say otherwise we can fix it.

One of the licenses, called "License 1", appears to grant a general license for all open source software applications.
We already added OCB license 1 in July 2019, see bug 1519804.

Another license, as included with the RNP code, was specifically granted to RNP, for all users of RNP software.
I wonder if its unnecessary to include the additional RNP OCB license text.
https://github.com/rnpgp/rnp/blob/master/LICENSE-OCB.md

Ryan, would you like to talk to someone to figure out if we should include both OCB license grants, or just the general OCB License 1?

(In reply to Rob Lemley [:rjl] from comment #9)

I wonder about the OCB license. To summarize the situation from my understanding (IANAL), OCB is patented, but the patent owner has granted licenses for several purposes, as explained at https://web.cs.ucdavis.edu/~rogaway/ocb/license.htm

Yeah I was looking at that. I chose to include it since the Ribose team thought it was important enough to go and get the author to do a special arrangement for RNP. Maybe we include it for now and if Ryan checks with legal and they say otherwise we can fix it.

Sounds good to me for the initial version. Two copies are safer than one.

Updated the files that were not prefixed with thirdparty/rnp.
Attachment #9138650 - Flags: review?(kaie)
Attachment #9138223 - Attachment is obsolete: true
Attachment #9138223 - Flags: review?(kaie)
Attachment #9138650 - Flags: review?(kaie) → review+

Pushed by thunderbird@calypsoblue.org:
https://hg.mozilla.org/comm-central/rev/6d4c1e455180
Additional license notice for Bzip2. r=kaie
https://hg.mozilla.org/comm-central/rev/778164472968
Additional license notice for Json-C. r=kaie
https://hg.mozilla.org/comm-central/rev/337491066b7b
Additional license notice for Botan. r=kaie
https://hg.mozilla.org/comm-central/rev/ab3ec689c2af
Additional license notice for RNP. r=kaie

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 76.0

Isn't c-c already on 77 and milestone should be 77 ?

It is.

Target Milestone: Thunderbird 76.0 → Thunderbird 77.0
Flags: needinfo?(ryan)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: