Add CC-BY-4.0 attribution for Red Hat-sourced advisory content#85
Add CC-BY-4.0 attribution for Red Hat-sourced advisory content#85rockythorn wants to merge 1 commit into
Conversation
|
Companion frontend change that renders this attribution: rocky-linux/errata-frontend#4 |
| advisory.red_hat_advisory.name, company_name, now.year | ||
| ) | ||
| else: | ||
| rights_text = f"Copyright {now.year} {company_name}" |
There was a problem hiding this comment.
Can red_hat_advisory_id be null? If not, then the else statement can never be called. This also means that we can only ever issue advisories that originate from RH, though fixing that's a task for another PR.
There was a problem hiding this comment.
Good question — I checked the actual schema rather than the ORM model. red_hat_advisory_id is nullable: schema.sql declares it bigint with no NOT NULL, and the live DB reports is_nullable = YES (the FK allows NULL and is ON DELETE CASCADE). The Tortoise model marks the FK non-nullable, but that is not enforced in the database, so the else is not dead code — it keeps a single null row from invalidating the entire updateinfo.xml for a repo, so I have left it in place. The ORM/DB nullability mismatch is probably worth tightening separately, and supporting genuinely non-RH advisories would be its own change, as you note.
Rocky advisories re-publish Red Hat advisory text (synopsis, description, topic), which Red Hat licenses under CC BY 4.0. That license requires crediting the source, linking to the original advisory and the license, and indicating that changes were made. The published outputs provided none of these. Add attribution across updateinfo.xml (the <rights> line plus source and license references), the v2 and v3 JSON APIs (a structured source object: name, url, vendor, license, licenseUrl), OSV (a source reference, a Red Hat credit, and license fields in database_specific), the RSS feed, and the web template. The wording and links are centralized in apollo/server/attribution.py so every format stays consistent. No schema change is required; the source advisory and its URL are derived from the existing red_hat_advisory relation.
rockythorn
force-pushed
the
feature/rhel-advisory-attribution
branch
from
d3efdf6 to
5facf52
Compare
2 participants
Problem
Rocky Linux errata advisories (e.g. RLSA-2026:23102) re-publish content from the
corresponding Red Hat advisories — synopsis, description, and topic. Red Hat
licenses that advisory content under CC BY 4.0,
which permits reuse but requires crediting the source, linking to the original
advisory and to the license, and indicating that changes were made. None of
Apollo's published outputs currently do this. This was raised by a member of the
Rocky community.
Approach
Attribution text and links are centralized in a new
apollo/server/attribution.pyand applied to every surface that carries Red Hat-derived text:
<rights>element credits the source advisory underCC BY 4.0, plus
<reference>entries for the source advisory (type="vendor")and the license (
type="other").sourceobject:name,url,vendor,license,licenseUrl.ADVISORYreference, a Red Hat credit, andlicense/license_url/source_advisoryindatabase_specific.advisory and the license.
No database migration is required; the source advisory and its URL are derived
from the existing
red_hat_advisoryrelation. A plain copyright line is kept asa fallback for any advisory without a Red Hat source.
Testing
suites pass.
detail + list, OSV, the live
updateinfo.xml(889 updates in one repo file),RSS, and the web advisory page all carry the attribution.
dnftolerates the newupdateinforeference types, both at thesource level (libsolv/libdnf/libdnf5) and end-to-end via
dnf makecacheonRocky 9.
Notes
rocky-linux/errata-frontend(branchfeature/rhel-advisory-attribution) renders the per-advisory attribution anda site-wide footer notice.