Those static files are not used to build software and thus may have side effects of distribution of package
due to not appropriate licensing.
Apache-2.0 is an opensource license and sources of those PDT files are not published.
It's not a critical issue because source package can be repacked without the suspicious files,
(I've done this for debian to comply DFSG:
theupdateframework/python-tuf#263 (comment)
)
Relocating files outside tuf project will prevent this extra processing step and make the chain of trust safer.
Once files merged in heref they can removed from tuf:
theupdateframework/python-tuf#1380
My PR will import gits changes from tuf to preserve attributions.
Those static files are not used to build software and thus may have side effects of distribution of package
due to not appropriate licensing.
Apache-2.0 is an opensource license and sources of those PDT files are not published.
It's not a critical issue because source package can be repacked without the suspicious files,
(I've done this for debian to comply DFSG:
theupdateframework/python-tuf#263 (comment)
)
Relocating files outside tuf project will prevent this extra processing step and make the chain of trust safer.
Once files merged in heref they can removed from tuf:
theupdateframework/python-tuf#1380
My PR will import gits changes from tuf to preserve attributions.