Maxime Devos skriver: > Maxime Devos schreef op wo 29-06-2022 om 20:29 [+0200]: >> Remco van 't Veer schreef op wo 29-06-2022 om 17:55 [+0200]: >> > +         >> "042xrdk7hsv4072bayz3f8ffqh61i8zlhvck10nfshllq063n877")))) >> >> This matches with a local >> >> $ guix download >> https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz’ >> >> and with all the hashes from >> . >> >> I'll try diffing (*) it with the old tarball for ‘suspiciousness’ >> (e.g.: obvious malware, new bundling, ???). > > When scrolling through the diff, nothing looked ‘suspect’ at first > glance. However, I did notice something else: some parts are not > under the Ruby License, but under 2-clause BSD: > > │ ├── +++ ruby-2.7.4/gems/xmlrpc-0.3.0/LICENSE.txt > │ │┄ Files 26% similar despite different names > │ │ @@ -1,13 +1,10 @@ > │ │ -test-unit is copyrighted free software by Kouhei Sutou > │ │ -, Ryan Davis > │ │ -and Nathaniel Talbott . > │ │ - > │ │ -You can redistribute it and/or modify it under either the terms of > the GPL > │ │ -version 2 (see the file GPL), or the conditions below: > │ │ +Ruby is copyrighted free software by Yukihiro Matsumoto > . > │ │ +You can redistribute it and/or modify it under either the terms of > the > │ │ +2-clause BSDL (see the file BSDL), or the conditions below: > > so it maybe be good to add ‘2-clause BSDL’ to the license field as well > (though given that it's an old issue, bringing the new version of ruby > in Guix has priority). It would be good to do a proper license audit of the bundled gems in Ruby. I see the previous version was not the Ruby license either, but GPL, and it's not listed among the licenses.