mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 21:05:08 +00:00
2f9cd13d6c
This commit reverts 8db56defa7
,
rolling back the vendor import of xz 5.6.0 and restoring the
package to version 5.4.5.
The revert was not directly due to the attack (CVE-2024-3094):
our import process have removed the test cases and build scripts
that would have enabled the attack. However, reverting would
help to reduce potential confusion and false positives from
security scanners that assess risk based solely on version
numbers.
Another commit will follow to restore binary compatibility with
the liblzma 5.6.0 library by making the previously private
symbol (lzma_mt_block_size) public.
PR: 278127
MFC after: 3 days
77 lines
3.3 KiB
Plaintext
77 lines
3.3 KiB
Plaintext
|
|
XZ Utils Licensing
|
|
==================
|
|
|
|
Different licenses apply to different files in this package. Here
|
|
is a rough summary of which licenses apply to which parts of this
|
|
package (but check the individual files to be sure!):
|
|
|
|
- liblzma is in the public domain.
|
|
|
|
- xz, xzdec, and lzmadec command line tools are in the public
|
|
domain unless GNU getopt_long had to be compiled and linked
|
|
in from the lib directory. The getopt_long code is under
|
|
GNU LGPLv2.1+.
|
|
|
|
- The scripts to grep, diff, and view compressed files have been
|
|
adapted from gzip. These scripts and their documentation are
|
|
under GNU GPLv2+.
|
|
|
|
- All the documentation in the doc directory and most of the
|
|
XZ Utils specific documentation files in other directories
|
|
are in the public domain.
|
|
|
|
Note: The JavaScript files (under the MIT license) have
|
|
been removed from the Doxygen-generated HTML version of the
|
|
liblzma API documentation. Doxygen itself is under the GNU GPL
|
|
but the remaining files generated by Doxygen are not affected
|
|
by the licenses used in Doxygen because Doxygen licensing has
|
|
the following exception:
|
|
|
|
"Documents produced by doxygen are derivative works
|
|
derived from the input used in their production;
|
|
they are not affected by this license."
|
|
|
|
- Translated messages are in the public domain.
|
|
|
|
- The build system contains public domain files, and files that
|
|
are under GNU GPLv2+ or GNU GPLv3+. None of these files end up
|
|
in the binaries being built.
|
|
|
|
- Test files and test code in the tests directory, and debugging
|
|
utilities in the debug directory are in the public domain.
|
|
|
|
- The extra directory may contain public domain files, and files
|
|
that are under various free software licenses.
|
|
|
|
You can do whatever you want with the files that have been put into
|
|
the public domain. If you find public domain legally problematic,
|
|
take the previous sentence as a license grant. If you still find
|
|
the lack of copyright legally problematic, you have too many
|
|
lawyers.
|
|
|
|
As usual, this software is provided "as is", without any warranty.
|
|
|
|
If you copy significant amounts of public domain code from XZ Utils
|
|
into your project, acknowledging this somewhere in your software is
|
|
polite (especially if it is proprietary, non-free software), but
|
|
naturally it is not legally required. Here is an example of a good
|
|
notice to put into "about box" or into documentation:
|
|
|
|
This software includes code from XZ Utils <https://tukaani.org/xz/>.
|
|
|
|
The following license texts are included in the following files:
|
|
- COPYING.LGPLv2.1: GNU Lesser General Public License version 2.1
|
|
- COPYING.GPLv2: GNU General Public License version 2
|
|
- COPYING.GPLv3: GNU General Public License version 3
|
|
|
|
Note that the toolchain (compiler, linker etc.) may add some code
|
|
pieces that are copyrighted. Thus, it is possible that e.g. liblzma
|
|
binary wouldn't actually be in the public domain in its entirety
|
|
even though it contains no copyrighted code from the XZ Utils source
|
|
package.
|
|
|
|
If you have questions, don't hesitate to ask the author(s) for more
|
|
information.
|
|
|