1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1095859: marked as done (ftp.debian.org: use of system library exce

    From Debian Bug Tracking System@21:1/5 to All on Tue Feb 18 15:40:01 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 18 Feb 2025 14:20:58 +0000
    with message-id <Z7SXSqsYdwZyTNBC@tapette.crustytoothpaste.net>
    and subject line Closing 1095989
    has caused the Debian Bug report #1095859,
    regarding ftp.debian.org: use of system library exception for OpenSSL violates GPLv2
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1095859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095859
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 1 Feb 2025 23:16:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-20.1 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
    DKIM_VALID_EF,FOURLA,HAS_PACKAGE,PGPSIGNATURE,SPF_HELO_NONE,SPF_PASS
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 150; neutral, 248; spammy,
    0. spammytokens: hammytokens:0.000-+--trixie,
    0.000-+--H*ct:application, 0.000-+--H*ct:protocol,
    0.000-+--H*ct:micalg, 0.000-+--H*ct:signed
    Return-path: <sandals@crustytoothpaste.net>
    Received: from complex.crustytoothpaste.net ([172.105.7.114]:35704)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE
  • From Chris Hofstaedtler@21:1/5 to All on Sun Apr 13 22:40:01 2025
    brian m. carlson (one of the git upstream copyright holders) claims
    in Bug #1094969 that git cannot be distributed when linked with
    OpenSSL. IIRC the Debian position is to use the system library
    exception.

    Indeed our /usr/lib/git-core/git-remote-https links against
    libssl.so.3, probably via libcurl-gnutls.so.4.

    To avoid introducing distro-wide changes at a time where this seems inappropriate, an option is to disable building git with libcurl.

    Below is a simple patch to accomplish this. Barring any new insights
    or feedback from the involved maintainers, this might be a way out.

    I believe all relevant people are in CC:, and they can figure this
    out. Details can be found in the bug.

    Chris


    diff -Nru git-2.49.0/debian/changelog git-2.49.0/debian/changelog
    --- git-2.49.0/debian/changelog 2025-03-15 18:48:53.000000000 +0100
    +++ git-2.49.0/debian/changelog 2025-04-13 22:18:18.000000000 +0200
    @@ -1,3 +1,11 @@
    +git (1:2.49.0-1.1) UNRELEASED; urgency=medium
    +
    + * Non-maintainer upload.
    + * Disable building with libcurl.
    +
    + -- Chris Hofstaedtler <zeha@debian.org> Sun, 13 Apr 2025 22:18:18 +0200
    +
    git (1:2.49.0-1) unstable; urgency=low

    * new upstream release (see RelNotes/2.48.0.adoc, RelNotes/2.49.0.adoc). diff -Nru git-2.49.0/debian/control git-2.49.0/debian/control
    --- git-2.49.0/debian/control 2025-03-15 18:48:14.000000000 +0100
    +++ git-2.49.0/debian/control 2025-04-13 22:18:18.000000000 +0200
    @@ -3,9 +3,10 @@
    Priority: optional
    Maintainer: Jonathan Nieder <jrnieder@gmail.com>
    Uploaders: Anders Kaseorg <andersk@mit.edu>
    +Build-Conflicts: libcurl4-gnutls-dev, libcurl4-openssl-dev
    Build-Depends: libz-dev, gettext,
    libpcre2-dev | libpcre3-dev,
    - libcurl4-gnutls-dev, libexpat1-dev,
    + libexpat1-dev,
    subversion, libsvn-perl, lib
  • From Andreas Metzler@21:1/5 to zeha@debian.org on Mon Apr 14 07:50:01 2025
    On 2025-04-13 Chris Hofstaedtler <zeha@debian.org> wrote:
    brian m. carlson (one of the git upstream copyright holders) claims
    in Bug #1094969 that git cannot be distributed when linked with
    OpenSSL. IIRC the Debian position is to use the system library
    exception.

    Indeed our /usr/lib/git-core/git-remote-https links against
    libssl.so.3, probably via libcurl-gnutls.so.4.

    To avoid introducing distro-wide changes at a time where this seems inappropriate, an option is to disable building git with libcurl.

    Below is a simple patch to accomplish this. Barring any new insights
    or feedback from the involved maintainers, this might be a way out.

    I believe all relevant people are in CC:, and they can figure this
    out. Details can be found in the bug.
    [...]

    Hello,

    well, we have decided to use the system library exception because we
    thought we had the right to so, not because we hoped that no copyright
    holder would notice. Undoing this for specific packages where a
    copyright holders tells us he disagrees undermines this position. Imho we
    need to either with using the exception or somebody(TM) needs to do a
    license analysis of our packages and we then need to implement coding
    changes to weed out any and all GPL<->openssl linkage.

    Personally I doubt we have the manpower nowadays to switch back from
    linking against OpenSSL.

    cu Andreas

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Andreas Metzler on Mon Apr 14 18:20:02 2025
    Andreas Metzler <ametzler@bebt.de> writes:

    well, we have decided to use the system library exception because we
    thought we had the right to so, not because we hoped that no copyright
    holder would notice. Undoing this for specific packages where a
    copyright holders tells us he disagrees undermines this position. Imho we need to either with using the exception or somebody(TM) needs to do a
    license analysis of our packages and we then need to implement coding
    changes to weed out any and all GPL<->openssl linkage.

    I think the situation here is this dependency chain:

    libcurl-gnutls -> libldap2 -> libssl

    (There may be others; I didn't do a thorough check. Does anyone know if
    there's a tool that will recursively analyze a binary's NEEDED sections
    and build a human-readable graph of the library dependencies?)

    openldap switched from GnuTLS to OpenSSL in 2.6.9+dfsg-1~exp2 in January
    of this year.

    The OpenLDAP dependency has a long history. (I was involved, many years
    ago, in trying to find the money for development of the GnuTLS port for licensing reasons.) Using GnuTLS is supported upstream, but it tends to
    cause a steady stream of low-level issues, annoyances, and
    incompatibilities. Were I still an OpenLDAP package maintainer, I would
    have been eager to switch to OpenSSL as well.

    I do find it fairly hard to understand the logic behind a position that
    somehow our git-remote-https binary as distributed is a derived work of
    OpenSSL and thus violates the GPLv2 license based on the nature of this specific dependency chain, but then I was always dubious of the legal
    merits of FSF's extremely aggressive and maximalist position on the
    definition of derived works in the context of the GPLv2 license. I am not
    a lawyer, this is not legal advice, and it's worth what you paid for it.

    --
    Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Tue Apr 15 15:10:02 2025
    This is a multi-part message in MIME format...

    Your message dated Tue, 15 Apr 2025 12:49:11 +0000
    with message-id <Z_5Vx4f9mIv8JTzz@tapette.crustytoothpaste.net>
    and subject line Clsoing 1094969
    has caused the Debian Bug report #1094969,
    regarding git: /usr/lib/git-core/git-remote-http is linked against incompatibly licensed OpenSSL
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1094969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094969
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 1 Feb 2025 23:16:22 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-20.1 required=4.0 tests=BAYES_00,
    BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
    DKIM_VALID_EF,FOURLA,HAS_PACKAGE,PGPSIGNATURE,SPF_HELO_NONE,SPF_PASS
    autolearn=ham autolearn_force=no
    version=3.4.6-bugs.debian.org_2005_01_02
    X-Spam-Bayes: score:0.0000 Tokens: new, 23; hammy, 150; neutral, 248; spammy,
    0. spammytokens: hammytokens:0.000-+--trixie,
    0.000-+--H*ct:application, 0.000-+--H*ct:protocol,
    0.000-+--H*ct:micalg, 0.000-+--H*ct:signed
    Return-path: <sandals@crustytoothpaste.net>
    Received: from complex.crustytoothpaste.net ([172.105.7.114]:35704)
    by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE