Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
Paul Tagliamonte writes: > On Fri, Sep 06, 2013 at 10:35:07AM +1000, Russell Sim wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Paul Tagliamonte writes: >> >> > On Mon, Sep 02, 2013 at 11:32:09PM +1000, Russell Sim wrote: >> >> Paul Tagliamonte writes: >> it's not a pure GPLv2 license, instead it's modified to make it more >> compatible[0]. >> >> "This is a custom license which in practical effects makes it more >> permissive than the LGPLv2, allowing redistribution of software linked >> against the library under all circumstances without having to disclose >> its source code." >> >> >> I have also found that I missed an update to the license that happened >> >> in 0.19.0. It was a new reference to the PHP 3.01 license. From my >> >> understanding it's also incompatible with the GPLv2 and GPLv3. >> >> >> >> Hehe, well I think this PHP license thing is probably the biggest >> problem now, perhaps we should wait until they actually figure out where >> the got it from. I have had another read over the PHP license and the reason it's incompatible. Seems that it's because of the restriction on using the name PHP in derived works. I believe that because of the of the linking preamble on this licence it will be compatible. I'm going to close this ticket, if you believe this not to be the case, feel free to contact me. Thanks, Russell signature.asc Description: PGP signature
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
On Fri, Sep 06, 2013 at 10:35:07AM +1000, Russell Sim wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Paul Tagliamonte writes: > > > On Mon, Sep 02, 2013 at 11:32:09PM +1000, Russell Sim wrote: > >> Paul Tagliamonte writes: > >> > >> > I notice there's a mix of GPLv2 and Apache2 code in the same binary. > >> > This combined work isn't distributable. It'd be super great to fix this > >> > by getting upstream to move to GPLv3 or dropping the apache2 code (or > >> > getting the copyright holders of the apache2 code to move to Expat or > >> > similar) > > So I think that I have an answer to the GPLv2 and Apache2 > incompatibilities. They have added a linking exception preamble to the Erm, I just read this. This seems like it'd work :) > license, so it's not a pure GPLv2 license, instead it's modified to make > it more compatible[0]. > > "This is a custom license which in practical effects makes it more > permissive than the LGPLv2, allowing redistribution of software linked > against the library under all circumstances without having to disclose > its source code." > > >> I have also found that I missed an update to the license that happened > >> in 0.19.0. It was a new reference to the PHP 3.01 license. From my > >> understanding it's also incompatible with the GPLv2 and GPLv3. > >> > >> I'll send a message upstream regarding these issues. In the mean time > >> is there an action I should take regarding the package, it's currently > >> in experimental, will it need to be removed from the archive? > > I have raised this with the upstream developers, and they are trying to > remove the PHP code and are also seeking legal advice[1]. It also seems > that I was mistaken, the PHP license was added to the code in the master > branch, it's not in the 0.19.0 release. But they are still trying to > workout the origin of the code. So it may have been mistakenly > identified as being from the PHP code base. > > The code in question appears in the 0.19.0 release but it's only used > for windows compatibility. I can remove it with a patch, so as to be > sure it's not included in the binary? > > > Yeah, if you wouldn't mind a RoM, we can introduce it after upstream > > gives folks the ability to, well, distribute the binaries :) > > Hehe, well I think this PHP license thing is probably the biggest > problem now, perhaps we should wait until they actually figure out where > the got it from. > > Cheers, > Russell > > 0. https://github.com/libgit2/libgit2/issues/567 > 1. https://github.com/libgit2/libgit2/pull/1789 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.14 (GNU/Linux) > > iQEcBAEBAgAGBQJSKSM7AAoJEKPQMr0n6UoaK3oH/2WZkDdseoeSkIjyIyvQptgm > 7u7Seg4gTPJnSsiUZNfe91Vht9pCzjtq6gU1WpChWvJde7/zSFTCd0H+gelsuJcC > IPn0DNk8CpJG5Mqc/CzjfzYtxFZP6rlhTPKjsw2JWjHRYoNQwtkJHAogMRr10/om > vJHiTe9gJz9IJDjE2RFazQwg5mUqJj+N7P5lqOsiquCKd6VXadaJnGQbE3m+nz12 > 80uOox5c/QYKt61bZqSxfr3ZU86+AeOUX2uYDe3ayM1e+O6ckmTM4jomuVSHEhWo > xNoPFneFiiuA9VPWavFhVYHFCVaAXbZPRjYKsEafjNeVz3bJQ27rP705rsDw6T4= > =xwO3 > -END PGP SIGNATURE- -- .''`. Paul Tagliamonte : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
On Fri, Sep 06, 2013 at 10:35:07AM +1000, Russell Sim wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Paul Tagliamonte writes: > > > On Mon, Sep 02, 2013 at 11:32:09PM +1000, Russell Sim wrote: > >> Paul Tagliamonte writes: > >> > >> > I notice there's a mix of GPLv2 and Apache2 code in the same binary. > >> > This combined work isn't distributable. It'd be super great to fix this > >> > by getting upstream to move to GPLv3 or dropping the apache2 code (or > >> > getting the copyright holders of the apache2 code to move to Expat or > >> > similar) > > So I think that I have an answer to the GPLv2 and Apache2 > incompatibilities. They have added a linking exception preamble to the > license, so it's not a pure GPLv2 license, instead it's modified to make > it more compatible[0]. > > "This is a custom license which in practical effects makes it more > permissive than the LGPLv2, allowing redistribution of software linked > against the library under all circumstances without having to disclose > its source code." Neato. However, due to GPL's no-further-restrictions clause, if this still contains the patent termination and indemnification provisions, it's not compatable. I'll have to do a review of this license. > > >> I have also found that I missed an update to the license that happened > >> in 0.19.0. It was a new reference to the PHP 3.01 license. From my > >> understanding it's also incompatible with the GPLv2 and GPLv3. > >> > >> I'll send a message upstream regarding these issues. In the mean time > >> is there an action I should take regarding the package, it's currently > >> in experimental, will it need to be removed from the archive? > > I have raised this with the upstream developers, and they are trying to > remove the PHP code and are also seeking legal advice[1]. It also seems > that I was mistaken, the PHP license was added to the code in the master > branch, it's not in the 0.19.0 release. But they are still trying to > workout the origin of the code. So it may have been mistakenly > identified as being from the PHP code base. > > The code in question appears in the 0.19.0 release but it's only used > for windows compatibility. I can remove it with a patch, so as to be > sure it's not included in the binary? It'd be more clean to repack, but that's one way out, sure > > > Yeah, if you wouldn't mind a RoM, we can introduce it after upstream > > gives folks the ability to, well, distribute the binaries :) > > Hehe, well I think this PHP license thing is probably the biggest > problem now, perhaps we should wait until they actually figure out where > the got it from. ACK. Thanks, Russell! > > Cheers, > Russell > > 0. https://github.com/libgit2/libgit2/issues/567 > 1. https://github.com/libgit2/libgit2/pull/1789 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.14 (GNU/Linux) > > iQEcBAEBAgAGBQJSKSM7AAoJEKPQMr0n6UoaK3oH/2WZkDdseoeSkIjyIyvQptgm > 7u7Seg4gTPJnSsiUZNfe91Vht9pCzjtq6gU1WpChWvJde7/zSFTCd0H+gelsuJcC > IPn0DNk8CpJG5Mqc/CzjfzYtxFZP6rlhTPKjsw2JWjHRYoNQwtkJHAogMRr10/om > vJHiTe9gJz9IJDjE2RFazQwg5mUqJj+N7P5lqOsiquCKd6VXadaJnGQbE3m+nz12 > 80uOox5c/QYKt61bZqSxfr3ZU86+AeOUX2uYDe3ayM1e+O6ckmTM4jomuVSHEhWo > xNoPFneFiiuA9VPWavFhVYHFCVaAXbZPRjYKsEafjNeVz3bJQ27rP705rsDw6T4= > =xwO3 > -END PGP SIGNATURE- Paul -- .''`. Paul Tagliamonte : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Tagliamonte writes: > On Mon, Sep 02, 2013 at 11:32:09PM +1000, Russell Sim wrote: >> Paul Tagliamonte writes: >> >> > I notice there's a mix of GPLv2 and Apache2 code in the same binary. >> > This combined work isn't distributable. It'd be super great to fix this >> > by getting upstream to move to GPLv3 or dropping the apache2 code (or >> > getting the copyright holders of the apache2 code to move to Expat or >> > similar) So I think that I have an answer to the GPLv2 and Apache2 incompatibilities. They have added a linking exception preamble to the license, so it's not a pure GPLv2 license, instead it's modified to make it more compatible[0]. "This is a custom license which in practical effects makes it more permissive than the LGPLv2, allowing redistribution of software linked against the library under all circumstances without having to disclose its source code." >> I have also found that I missed an update to the license that happened >> in 0.19.0. It was a new reference to the PHP 3.01 license. From my >> understanding it's also incompatible with the GPLv2 and GPLv3. >> >> I'll send a message upstream regarding these issues. In the mean time >> is there an action I should take regarding the package, it's currently >> in experimental, will it need to be removed from the archive? I have raised this with the upstream developers, and they are trying to remove the PHP code and are also seeking legal advice[1]. It also seems that I was mistaken, the PHP license was added to the code in the master branch, it's not in the 0.19.0 release. But they are still trying to workout the origin of the code. So it may have been mistakenly identified as being from the PHP code base. The code in question appears in the 0.19.0 release but it's only used for windows compatibility. I can remove it with a patch, so as to be sure it's not included in the binary? > Yeah, if you wouldn't mind a RoM, we can introduce it after upstream > gives folks the ability to, well, distribute the binaries :) Hehe, well I think this PHP license thing is probably the biggest problem now, perhaps we should wait until they actually figure out where the got it from. Cheers, Russell 0. https://github.com/libgit2/libgit2/issues/567 1. https://github.com/libgit2/libgit2/pull/1789 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJSKSM7AAoJEKPQMr0n6UoaK3oH/2WZkDdseoeSkIjyIyvQptgm 7u7Seg4gTPJnSsiUZNfe91Vht9pCzjtq6gU1WpChWvJde7/zSFTCd0H+gelsuJcC IPn0DNk8CpJG5Mqc/CzjfzYtxFZP6rlhTPKjsw2JWjHRYoNQwtkJHAogMRr10/om vJHiTe9gJz9IJDjE2RFazQwg5mUqJj+N7P5lqOsiquCKd6VXadaJnGQbE3m+nz12 80uOox5c/QYKt61bZqSxfr3ZU86+AeOUX2uYDe3ayM1e+O6ckmTM4jomuVSHEhWo xNoPFneFiiuA9VPWavFhVYHFCVaAXbZPRjYKsEafjNeVz3bJQ27rP705rsDw6T4= =xwO3 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
On Mon, Sep 02, 2013 at 11:32:09PM +1000, Russell Sim wrote: > Paul Tagliamonte writes: > > > I notice there's a mix of GPLv2 and Apache2 code in the same binary. > > This combined work isn't distributable. It'd be super great to fix this > > by getting upstream to move to GPLv3 or dropping the apache2 code (or > > getting the copyright holders of the apache2 code to move to Expat or > > similar) > > Hey Paul, Thanks for notifying me of this issue. Heyya Russell, thanks for the super quick response, > I have also found that I missed an update to the license that happened > in 0.19.0. It was a new reference to the PHP 3.01 license. From my > understanding it's also incompatible with the GPLv2 and GPLv3. > > I'll send a message upstream regarding these issues. In the mean time > is there an action I should take regarding the package, it's currently > in experimental, will it need to be removed from the archive? Yeah, if you wouldn't mind a RoM, we can introduce it after upstream gives folks the ability to, well, distribute the binaries :) > Thanks again, > Russell Thank you, Russell, really! Cheers, Paul -- .''`. Paul Tagliamonte : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Tagliamonte writes: > I notice there's a mix of GPLv2 and Apache2 code in the same binary. > This combined work isn't distributable. It'd be super great to fix this > by getting upstream to move to GPLv3 or dropping the apache2 code (or > getting the copyright holders of the apache2 code to move to Expat or > similar) Hey Paul, Thanks for notifying me of this issue. I have also found that I missed an update to the license that happened in 0.19.0. It was a new reference to the PHP 3.01 license. From my understanding it's also incompatible with the GPLv2 and GPLv3. I'll send a message upstream regarding these issues. In the mean time is there an action I should take regarding the package, it's currently in experimental, will it need to be removed from the archive? Thanks again, Russell -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJSJJNZAAoJEKPQMr0n6Uoa1+QH/jcVzxe2NTHWW1ka5fxi2sut y9GDSIK4tUqSLhh/jkmLlFYt7OzzO8lqaESUzrwxI0JAtf5QK0mU9fI8BsdJ07Eq usjwuCtEfW3anYboqCjY4Lzs2JVXS0AYHNwUIfoTgDUQck70b3QMODPLFMpisDbs +TmHi6uQHfVuKVfJW+DdbOdVbfCELu6vyhA13PNqQY2zRVFUVAIUR4OjpPcJTeS4 iLMO92x98MzSSZr4gk3uGGmfTUQN5rKqBUscdgAMyW9F9yAvJRGHHB4PJ0vZ8IZJ fm+LwzOQ444luXR2YI1tXMuioGXVjrOTMFW3x1syvOCNToV2+KHGzUavYl5wHlA= =Exuw -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#721454: libgit2 contiains mix of LGPL2 and Apache2
Package: libgit2 Severity: serious User: paul...@debian.org Usertags: ftp X-Debbugs-CC: ftpmas...@ftp-master.debian.org Howdy maintainer, I notice there's a mix of GPLv2 and Apache2 code in the same binary. This combined work isn't distributable. It'd be super great to fix this by getting upstream to move to GPLv3 or dropping the apache2 code (or getting the copyright holders of the apache2 code to move to Expat or similar) Thanks for your hard work, Paul -- .''`. Paul Tagliamonte : :' : Proud Debian Developer `. `'` 4096R / 8F04 9AD8 2C92 066C 7352 D28A 7B58 5B30 807C 2A87 `- http://people.debian.org/~paultag signature.asc Description: Digital signature
