Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: pu
Dear Stable Release Managers, As I discussed today with Adam Barratt and Mark Hymers at DC11, I discovered that the current version of win32-loader as shipped in stable might actually violate the GPL: both the CD version (as shipped in the win32-loader binary package) and the "standalone" version (as [wrongly] shipped directly on the mirrors [0]) ship binary files from: - grub-pc (g2ldr, g2ldr.mbr) - loadlin (loadlin.exe) - cpio-win32 (cpio.exe) - gzip-win32 (gzip.exe) There are two problems with the current state: a) win32-loader 0.6.21 was uploaded (hence built) on 2010-12-09. At that time, those packages were in given versions but stable was released with other versions. The following array tries to demonstrate the problem: Name | Version at upload time | Version in stable | Status ------------------------------------------------------------- grub2 | 1.98+20100804-10 | 1.98+20100804-14 - KO loadlin | 1.6e-1 | 1.6e-1 - OK cpio | 2.11-5 | 2.11-4 - KO gzip | 1.3.12-9 | 1.3.12-9 - OK So at least two embedded binaries cannot be rebuilt using sources from stable. b) #616324: This bug is about a weird archive behaviour, somehow fixed since then, about the three "suites" being equal binaries. The current problem of this is that the version shipped in tools/win32-loader/stable/win32-loader.exe is actually _not_ 0.6.21, but 0.6.22 (you can see this by running it in wine, which is harmless). So in order to fix this, my plan is to upload a win32-loader 0.6.21+squeeze0 to stable(-proposed-update) that would include the following changes: - add a Built-Using field in the binary package (to track GPL-compliance) - add the "byhand" code, backported from current unstable (to push the standalone version to the archive) - document versions and pointers to sources in the pool/ directories (to enhance documentation) A proposed source, debdiff and built package is there: http://alioth.debian.org/~odyx-guest/packages/win32-loader/ What do you think ? By the way, I will make sure an upload of win32-loader to unstable happens soon™ with all these changes (I'll have to find a sponsor as I'm at DC11 and my smartcard with my GPG subkey broke). Cheers, OdyX [0] http://ftp.debian.org/debian/tools/win32-loader/stable/win32-loader.exe -- System Information: Debian Release: wheezy/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110729215425.16080.44040.reportbug@Tamino