Third party patch licensing
Athos Ribeiro
athos.ribeiro at canonical.com
Wed May 25 17:59:16 UTC 2022
Hi,
I am facing a licensing issue with a patch to fix a (possible? [1]) CVE
in the rainloop package.
A security issue has been reported upstream [2], but there were no
replies from the upstream project yet.
The reporter followed up by describing the security issue in a blog post
[3], which also contains a patch to fix the issue.
I contacted the patch author to wonder how we could re-distribute the
patch (see the discussion in [2]). They agreed to license it with the
upstream project's license (AGPLv3), and I suggested the approach
described in [4].
Since IANAL, I decided to ask devel-discuss if there's a better approach
for licensing this patch or if this should be enough to include it as a
delta. Note that this was submitted to Debian in [5], where I did
raise this same concern.
[1] CVE-2022-29360 has not been published in MITRE's DB nor in cve.org
yet.
[2] https://github.com/RainLoop/rainloop-webmail/issues/2142
[3] https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
[4] https://github.com/RainLoop/rainloop-webmail/issues/2142#issuecomment-1137592507
[5] https://salsa.debian.org/js-team/rainloop/-/merge_requests/4
--
Athos Ribeiro
More information about the Ubuntu-devel-discuss
mailing list