Hi, > I think this section of NOTICE is simply not worded well enough.
No problem, if it is not bundled it should be removed, if the wording is wrong it should be fixed. > Not it doesn’t. You might want to double check the files in here: ./contrib/pgcrypto ./src/interfaces/libpq Just do a quick search for SSL for instance. Or take a look a contrib/pgcrypto/crypt-blowfish.c it says "This code comes from John the Ripper password cracker, with reentrant and crypt(3) interfaces added,” and that looks to be GPL software or I think public domain? I’d expect that to be in the LICENSE file. [1] I haven’t looked at everything in detail but there enough for concern and IMO it needs to be double checked. Exactly what is covered by "cryptographic functions” I’m not entirely sure. Do we have somewhere where that is spelt out? For instance is MD5 included in that? (see ./contrib/pgcrypto/crypt-md5.c, ./contrib/pgcrypto/md5.c, ./src/backend/libpq/md5.c) or DES (./contrib/pgcrypto/crypt-des.c) or SHA2 (./contrib/pgcrypto/sha2.c) or blowfish mentioned above? (and those are not the only files) > Apache License -- no sure what you mean here -- I think we're simply > bubbling up the dependencies NOTICEs. Why is that wrong? Bubbling up NOTICEs is correct but AFAICS you’re not doing that. > Not sure what do you want us to do to handle that case. Fix the paths or remove it if it's no longer the case would be best I think. Thanks, Justin 1. http://www.openwall.com/john/doc/LICENSE.shtml --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
