1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1094969: Bug#976991: closed by Ryan Tandy (Re: Bug

    From Ryan Tandy@21:1/5 to brian m. carlson on Thu Feb 13 02:40:01 2025
    (CCing the git bug)

    On Thu, Feb 13, 2025 at 12:37:01AM +0000, brian m. carlson wrote:
    Since Git links against libcurl3t64-gnutls, it is now undistributable
    since it's GPLv2 and OpenSSL is incompatibly licensed.

    My understanding is that Debian now invokes the system library exception
    for OpenSSL and no longer considers this a problem.

    https://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html

    Other packages also consider it as having resolved their GPL issues,
    e.g. <https://bugs.debian.org/924937>.

    I hope I haven't misunderstood.

    If you disagree with ftp-master about the system library exception, I
    have to ask you to take that up with them, or the TC.

    http://bugs.debian.org/1094969 tracks the bug in Git, but I don't think
    the change can be made in Git and either OpenLDAP needs to use GnuTLS
    again or libcurl4-gnutls needs to not link against OpenLDAP.

    OpenLDAP upstream are planning to delete the GnuTLS backend soon, so
    I'll be very reluctant to revert this switch unless someone else steps
    up to maintain that support.

    thanks,
    Ryan

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From brian m. carlson@21:1/5 to Samuel Henrique on Sun Apr 13 18:40:02 2025
    On 2025-04-13 at 10:23:08, Samuel Henrique wrote:
    Brian, if you think this is serious you have to bring this up to the ftp-master
    team.

    I filed the bug on Git and I think that should be sufficient. My
    position stands that this should be changed and that this is a
    regression that should be fixed in trixie.

    We shouldn't do anything unless they confirm this is an issue.

    I disagree. I'm asking nicely to fix a licensing issue which affects a
    project to which I am a contributor. Fixing it would be the appropriate
    thing to do.

    I'll also point out that the entire reason libcurl3t64-gnutls has
    traditionally existed is for licensing reasons, so if we're going to
    link that library with OpenSSL, you might as well just get rid of it
    altogether and just use libcurl4t64.
    --
    brian m. carlson (they/them)
    Toronto, Ontario, CA

    -----BEGIN PGP SIGNATURE-----

    wr0EABYKAG8Fgmf75nwJEHwMSWKIh6KBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ47VIvmC126PNYX0ECAMpd+lj+KGXav1HpUAAZl3+7cU FiEECCzmip28ZfuD0cORfAxJYoiHooEAAINNAP46XB2MyGTdKWES6HDO7JKc/2JL Y09yEqNd9jFAxcU7dAD9He5F2bsazUcn+SrrdTenHxIfrcLK9Npfeki3fHRBMAg=
    =vhFn
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to Samuel Henrique on Mon Apr 14 01:00:01 2025
    On Sun, 13 Apr 2025 at 11:58:57 +0100, Samuel Henrique wrote:
    Based on the replies to https://mastodon.social/@bagder/114329630276196304, >where there was some uncertainty around where the issue comes from, I figured I
    should clarify it here:

    git on Debian ends up indirectly linked to OpenSSL through the following:
    git -> libcurl-gnutls -> libldap -> libssl

    The openldap package switched to linking to OpenSSL in January this year (2025)
    for Debian unstable.

    openldap is not the only relevant dependency chain. There is also at least:

    git -> libcurl3t64-gnutls -> libgssapi-krb5-2 -> libkrb5-3 -> libssl3t64

    and

    git -> libcurl3t64-gnutls -> libssh2-1t64 -> libssl3t64

    (in the case of at least libssh2-1t64 it's for OpenSSL's lower-level
    libcrypto library rather than the actual libssl, but Debian packages
    those two libraries together in the libssl3t64 package, and as far as I
    know they are both under the same license).

    This means it's impossible to have a GnuTLS build of libcurl with ldap support >without also pulling OpenSSL transitively.

    As a result of the other dependency chains, no amount of changing openldap would be sufficient to resolve this on its own.

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)