Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
Am 04.07.24 um 00:28 schrieb Benjamin Kaduk: Sounds like we might want to add this bug to the 'blocks' list for that one, then? Then you should change its title, too.
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
On Thu, Jul 04, 2024 at 12:23:11AM +0200, Bastian Germann wrote: > Am 03.07.24 um 23:56 schrieb Benjamin Kaduk: > > On Wed, Jul 03, 2024 at 11:27:50PM +0200, Bastian Germann wrote: > > > Am 03.07.24 um 05:23 schrieb Benjamin Kaduk: > > > > I do not see how it would be possible to replace this code in Debian > > > > before > > > > upstream can do so; this code is a core part of the functionality of the > > > > software and the files cannot be relicensed without the permission of > > > > all > > > > copyright holders. > > > > > > Upstream supports more OS than only Linux and most of the changes are > > > portability changes. Trying a compile with the files replaced won't hurt. > > > > I think it would hurt; some of the chnages relate to security fixes, among > > other things. > > Can you point to a specific security fix that is not included in glibc or > FreeBSD? > I would like to report it to them in that case. https://github.com/openafs/openafs/commit/a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6 is the one I found first that is of clear security relevance to openafs (I did not attempt an exhaustive search). That said, I have to say "of security relevance to openafs" because it relates to how the overall application handles large/unexpected RPC input arguments, and the right way to address that class of issue is likely to depend on the particular application in question. This particular fix is suitable for openafs but is not necessarily suitable for all consumers of a generic rpcgen. > > > > I am also a bit confused at why you chose to file this as severity: > > > > serious > > > > -- could you please clarify what part of policy is being violated or > > > > how it > > > > makes the package unsuitable for release? > > > > > > Assuming the license is non-free (which some people may doubt but this > > > seems > > > to be established in Debian) the package violates Policy §2.2.1 "Every > > > package > > > in main must comply with the DFSG" > > > > Do you have any links handy for "this seems to be established in Debian"? > > Maybe a statement from ftpmaster? > > There is a bug waiting for a statement from ftpmaster: #1072165. Sounds like we might want to add this bug to the 'blocks' list for that one, then? > > Starting from scratch I'm only finding > > https://lists.debian.org/debian-legal/2003/08/msg00667.html from 2003 (and > > the corresponding bug, > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=181493), neither of which > > really ends with a resounding conclusion, and which are quite old. > > The conclusion of bug #181493 was upstream's relicensing of the code. Right, which is not much of a conclusion on whether or not the license is non-free; it is just side-stepping the question. -Ben
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
Am 03.07.24 um 23:56 schrieb Benjamin Kaduk: On Wed, Jul 03, 2024 at 11:27:50PM +0200, Bastian Germann wrote: Am 03.07.24 um 05:23 schrieb Benjamin Kaduk: I do not see how it would be possible to replace this code in Debian before upstream can do so; this code is a core part of the functionality of the software and the files cannot be relicensed without the permission of all copyright holders. Upstream supports more OS than only Linux and most of the changes are portability changes. Trying a compile with the files replaced won't hurt. I think it would hurt; some of the chnages relate to security fixes, among other things. Can you point to a specific security fix that is not included in glibc or FreeBSD? I would like to report it to them in that case. I am also a bit confused at why you chose to file this as severity: serious -- could you please clarify what part of policy is being violated or how it makes the package unsuitable for release? Assuming the license is non-free (which some people may doubt but this seems to be established in Debian) the package violates Policy §2.2.1 "Every package in main must comply with the DFSG" Do you have any links handy for "this seems to be established in Debian"? Maybe a statement from ftpmaster? There is a bug waiting for a statement from ftpmaster: #1072165. Starting from scratch I'm only finding https://lists.debian.org/debian-legal/2003/08/msg00667.html from 2003 (and the corresponding bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=181493), neither of which really ends with a resounding conclusion, and which are quite old. The conclusion of bug #181493 was upstream's relicensing of the code.
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
On Wed, Jul 03, 2024 at 11:27:50PM +0200, Bastian Germann wrote: > Am 03.07.24 um 05:23 schrieb Benjamin Kaduk: > > I do not see how it would be possible to replace this code in Debian before > > upstream can do so; this code is a core part of the functionality of the > > software and the files cannot be relicensed without the permission of all > > copyright holders. > > Upstream supports more OS than only Linux and most of the changes are > portability changes. Trying a compile with the files replaced won't hurt. I think it would hurt; some of the chnages relate to security fixes, among other things. > > I am also a bit confused at why you chose to file this as severity: serious > > -- could you please clarify what part of policy is being violated or how it > > makes the package unsuitable for release? > > Assuming the license is non-free (which some people may doubt but this seems > to be established in Debian) the package violates Policy §2.2.1 "Every package > in main must comply with the DFSG" Do you have any links handy for "this seems to be established in Debian"? Maybe a statement from ftpmaster? Starting from scratch I'm only finding https://lists.debian.org/debian-legal/2003/08/msg00667.html from 2003 (and the corresponding bug, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=181493), neither of which really ends with a resounding conclusion, and which are quite old. Given that openafs appears to have already been in Debian at that time (looking at its changelog), it's a bit surprising that this bug is only being filed now in 2024. -Ben
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
Am 03.07.24 um 05:23 schrieb Benjamin Kaduk: I do not see how it would be possible to replace this code in Debian before upstream can do so; this code is a core part of the functionality of the software and the files cannot be relicensed without the permission of all copyright holders. Upstream supports more OS than only Linux and most of the changes are portability changes. Trying a compile with the files replaced won't hurt. I am also a bit confused at why you chose to file this as severity: serious -- could you please clarify what part of policy is being violated or how it makes the package unsuitable for release? Assuming the license is non-free (which some people may doubt but this seems to be established in Debian) the package violates Policy §2.2.1 "Every package in main must comply with the DFSG"
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
Hi Bastian, Sorry for the slow reply. Life has throwna a lot of things at me this month. On Thu, Jun 06, 2024 at 10:17:33PM +0200, Bastian Germann wrote: > > OpenAFS includes the Sun RPC code under the original, non-free license. > That code was relicensed by Oracle under a BSD license (see > https://spot.livejournal.com/315383.html). > > I have filed an upstream bug (see forwarded URL), which has a response > linking a previous draft submission to make use of that relicensing, which > is blocked by people agreeing to their code (which has substantial changes > to the relicense glibc or FreeBSD copies) being relicensed. > > Maybe replacing it without those additional changes is possible in Debian. I do not see how it would be possible to replace this code in Debian before upstream can do so; this code is a core part of the functionality of the software and the files cannot be relicensed without the permission of all copyright holders. I am also a bit confused at why you chose to file this as severity: serious -- could you please clarify what part of policy is being violated or how it makes the package unsuitable for release? Thanks, Ben
Bug#1072708: openafs: src/rx[gen] contains SUN RPC code under the original license
Source: openafs Version: 1.8.2-1 Severity: serious Control: forwarded -1 http://rt.central.org/rt/SelfService/Display.html?id=135481 Hi, OpenAFS includes the Sun RPC code under the original, non-free license. That code was relicensed by Oracle under a BSD license (see https://spot.livejournal.com/315383.html). I have filed an upstream bug (see forwarded URL), which has a response linking a previous draft submission to make use of that relicensing, which is blocked by people agreeing to their code (which has substantial changes to the relicense glibc or FreeBSD copies) being relicensed. Maybe replacing it without those additional changes is possible in Debian. Thanks, Bastian