GNU bug report logs -
#53765
[PATCH 00/17] Remove limitations on clojure-tools
Previous Next
Full log
Message #119 received at 53765 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:
> +(define-public clojure-com-cognitect-http-client
> + (package
> + (name "clojure-com-cognitect-aws-api")
> + (version "1.0.111")
> + (source (origin
> + (method url-fetch)
> + ;; This JAR contains only uncompiled Clojure sources.
> + (uri (string-append "https://repo1.maven.org/maven2/"
> + "com/cognitect/http-client/"
> + version "/http-client-"
> + version ".jar"))
> + (sha256
> + (base32
> + "0n03vyr6i6n8ll8jn14b5zsba5pndb0ivdwizimz16gd8w3kf5xh"))))
I downloaded the JAR and verified the hash matches.
> + (license license:asl2.0)))
>
This time, the source code has a COPYING file and the headers of the
source code state that it is Apache 2.0, which is good.
There's still something weird though: even though the source files
later state it's Apache 2.0, initially they state
;; Copyright (c) Cognitect, Inc.
;; All rights reserved.
This seems rather contradictory --- do they reserve all monopology
rights for theirselves, or do they license it as Apache 2.0, giving
people some rights? The intent seems clear here (Apache 2.0), so
not a blocker for inclusion in Guix I think, but IANAL and this should
ideally eventually be fixed upstream.
The files in the zip appear to be actual source code, not compiled
something. There indeed doesn't appear to be anything malicious.
I'll look into the authenticity later.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 57 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.