[HTTPS-Everywhere] License issue with utils/zipfile_deterministic.py (was: 3.4.2 and 4.0development.13 released)
Yan Zhu
yan at MIT.EDU
Sat Oct 5 10:14:36 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat 05 Oct 2013 07:26:11 AM PDT, Jérémy Bobbio wrote:
> Micah Lee:
>> Actually, Yan and I just discovered that this release isn't _quite_
>> deterministic. So we'll have to wait for our next release to make the
>> announcement.
>>
>> The build process in the HTTPS Everywhere repository is completely
>> deterministic for Firefox, but when we do public releases we run a
>> separate unpublished script to make things easier. We didn't update
>> this script before making this release, so we'll have to update it
>> before the next release before the xpi is actually deterministic.
>
> Also, I suspect there is a license problem with the new so I'm not going
> to update the Debian package for now:
>
We also realized this a moment after updating. Currently, it seems like
we would need to include a copy of
http://www.python.org/download/releases/2.6/license/ in the repository
and also "include the notice “"Python" is a registered trademark of the
Python Software Foundation” in the appropriate part of your
documentation or About box and place the “®” symbol after the first
mention of “Python” in your documentation."
(https://wiki.python.org/moin/PythonSoftwareFoundationLicenseFaq#If_I_bundle_Python_with_my_application.2C_what_do_I_need_to_include_in_my_software_and.2For_printed_documentation.3F)
Actually, does this mean we should have done the latter even before
this release if we mentioned Python anywhere in our documentation or
comments?
> There's no indication of a license for utils/zipfile_deterministic.py
> except that it says it's a fork. Fork means that there is an initial
> code base, and the latter usually has authors and copyrights.
>
> Python is crazily versatile. Can't this be fixed by a monkey patch?
> If not, could you provide proper license and authorship information?
Thanks! The only downside of a monkey patch as far as I can tell is
that the build would be a few seconds slower, because we would create a
non-deterministic zipped file, canonicalize the zipinfo values, and
then write to a new zipfile. But then again, since usually developers
don't care about making a deterministic build when testing the
extension, this could just be an optional process that happens after
the normal build process, taking the zip file created by makexpi.sh as
input.
I think this is actually a better design, so I'll volunteer to go ahead
and change it.
- -Yan
>
> Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSUEj8AAoJENC7YDZD/dnsqvkH/01rMvVGL3rMx75YdUU0s1Zh
NG/KRxeTBSp40r2PXXIvsmWJRISE1Qp/4VipbKmaJ7THnj38TTUi2Y1hrVhRIPCT
j88i19T3DyFB7MD0b/DLBYZhHElsO06wozu1VrTx0iCAKpu8ZG8zgVryWrx3SFGj
Wf7LZVIX0YyLuFPORDA53ddvFxtyspM3j1l1QgGgzFyPcGDSiRo3dAEpCPcoggTW
2ejYxEeWloggv3qEJZNM5vfbJ/xptgQ1qahdzhkO2IPUzBTbefahFRuXn7SWCHQF
geDDy/rgRlUEndry3SzhqZurCDQRVYodvKQ2p2VhqTbRjGacNmvFGhPIXVACdVk=
=GZd6
-----END PGP SIGNATURE-----
More information about the HTTPS-Everywhere
mailing list