Greetings,
Some of you might be aware that the instructions for verifying our *-CHECKSUM files on Windows have been broken since we moved to SHA256. Previously, we linked users to a sha1sum.exe built by the GnuPG project¹. With SHA256, we don't have that ability.
There is an open bug to provide a sha256sum.exe which we can point to for Windows who don't have any other tools to verify SHA256 checksums².
Packages are ready and referenced in bug 527060³. The idea is to build these packages in koji, though not for inclusion in any Fedora release (as the packages are mostly a bit of a hack to build a small subset of coreutils for Windows).
What I'm wondering about is what do we need to do in order to ensure GPL compliance here? Knowing that will help me move this forward with the folks on the infrastructure team.
We discussed this a bit on the infrastructure list⁴ a month back, though the discussion got off on a few tangents. I'd like to revive it and I think that having some insight from the legal team will help. Bruno Wolff III had some interesting questions regarding GPL compliance and MingW binaries at the end of the infra-list thread⁵.
Thanks for any help and guidance!
¹ http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.... ² https://bugzilla.redhat.com/show_bug.cgi?id=527060 ³ https://bugzilla.redhat.com/show_bug.cgi?id=527060#c14 ⁴ http://www.redhat.com/archives/fedora-infrastructure-list/2009-November/msg0... ⁵ http://www.redhat.com/archives/fedora-infrastructure-list/2009-November/msg0...
On 12/19/2009 02:28 PM, Todd Zullinger wrote:
What I'm wondering about is what do we need to do in order to ensure GPL compliance here? Knowing that will help me move this forward with the folks on the infrastructure team.
Assuming GPLv2, the simplest solution for you would be to do this:
In GPLv2, it says:
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
So, assuming we will be putting this binary somewhere on the Fedora website, we should put links to download the source code for the sha256 binary (and all statically compiled libraries) right next to it. These links can be to koji, as long as they will not go stale (e.g. no scratch builds).
Also, we'll want to put the binary .exe in a zip file with COPYING (GPLv2 license text).
hth,
~spot