Bug#833692: pinot: links GPLv2+ code with OpenSSL
Quoting Olly Betts (2018-05-31 23:47:10) > On Thu, May 31, 2018 at 12:22:58AM +0200, Sebastian Andrzej Siewior wrote: >> pinot has currently two RC bugs and failed to build during the curl4 >> transition / binNMU. >> Does it make sense to add the two patches (Olly pointed to) and >> upload it or would a RM make sense? > > Popcon suggests pinot usage is low: > > https://qa.debian.org/popcon.php?package=pinot > > I'm not sure there's really a direct equivalent though, so it seems > worth uploading with at least the RC fixes. I can prepare an upload > (or happy for someone else to). > > Jonas: Are you still interested in maintaining pinot? I ask because > it's had RC bugs open for a long time without any maintainer response, > and the last maintainer upload was over five years ago now. > > Let me know and if not I can orphan or adopt in my upload. I still like pinot and believe there is a use for it in Debian as alternative to extract and tracker. But evidently it keeps falling too low on my priority list :-( Please do adopt it. Or co-maintain it with me, if you prefer that. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#833692: pinot: links GPLv2+ code with OpenSSL
On Thu, Jun 14, 2018 at 12:45:38AM +0200, Jonas Smedegaard wrote: > I still like pinot and believe there is a use for it in Debian as > alternative to extract and tracker. But evidently it keeps falling too > low on my priority list :-( > > Please do adopt it. Or co-maintain it with me, if you prefer that. Sounds good. I've made a start on preparing an upload. It looks like the packaging was on collab-maint which has now gone - do you have a checkout of it handy? Not vital, but preserving the history seems useful if it's easy to do. Cheers, Olly
Bug#833692: pinot: links GPLv2+ code with OpenSSL
Quoting Olly Betts (2018-06-14 04:29:27) > On Thu, Jun 14, 2018 at 12:45:38AM +0200, Jonas Smedegaard wrote: >> I still like pinot and believe there is a use for it in Debian as >> alternative to extract and tracker. But evidently it keeps falling >> too low on my priority list :-( >> >> Please do adopt it. Or co-maintain it with me, if you prefer that. > > Sounds good. I've made a start on preparing an upload. > > It looks like the packaging was on collab-maint which has now gone - > do you have a checkout of it handy? Not vital, but preserving the > history seems useful if it's easy to do. https://salsa.debian.org/debian/pinot Thanks a lot for co-maintaining! Please do tell if you have any questions or disagree with how some stuff was done in the past - or simply change things and inform me, if you prefer (we are in it together - equally!). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#833692: pinot: links GPLv2+ code with OpenSSL
On Thu, Jun 14, 2018 at 11:13:04AM +0200, Jonas Smedegaard wrote: > Quoting Olly Betts (2018-06-14 04:29:27) > > On Thu, Jun 14, 2018 at 12:45:38AM +0200, Jonas Smedegaard wrote: > >> I still like pinot and believe there is a use for it in Debian as > >> alternative to extract and tracker. But evidently it keeps falling > >> too low on my priority list :-( > >> > >> Please do adopt it. Or co-maintain it with me, if you prefer that. > > > > Sounds good. I've made a start on preparing an upload. > > > > It looks like the packaging was on collab-maint which has now gone - > > do you have a checkout of it handy? Not vital, but preserving the > > history seems useful if it's easy to do. > > https://salsa.debian.org/debian/pinot Thanks. I've already made an upload, but it looks like there are some changes there since the last upload (at least to debian/copyright). I'll sort out merging them and doing another upload, though I might let the first upload migrate to testing first, so at least pinot is back in testing. > Thanks a lot for co-maintaining! Please do tell if you have any > questions or disagree with how some stuff was done in the past - or > simply change things and inform me, if you prefer (we are in it together > - equally!). I changed from cdbs to dh as you said that was OK on IRC, and together with moving to debhelper compat 11 that makes for a very simple debian/rules. I left the update to gmime 3.0 out of this upload as it seemed better to prioritise fixing the RC bugs and get a working package back in testing. Cheers, Olly
Bug#833692: pinot: links GPLv2+ code with OpenSSL
Quoting Olly Betts (2018-06-14 22:46:54) > I've already made an upload, but it looks like there are some changes > there since the last upload (at least to debian/copyright). I'll sort > out merging them and doing another upload, though I might let the > first upload migrate to testing first, so at least pinot is back in > testing. > > > Thanks a lot for co-maintaining! Please do tell if you have any > > questions or disagree with how some stuff was done in the past - or > > simply change things and inform me, if you prefer (we are in it > > together - equally!). > > I changed from cdbs to dh as you said that was OK on IRC, and together > with moving to debhelper compat 11 that makes for a very simple > debian/rules. > > I left the update to gmime 3.0 out of this upload as it seemed better > to prioritise fixing the RC bugs and get a working package back in > testing. Good. All of it. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#833692: pinot: links GPLv2+ code with OpenSSL
On 2017-03-01 12:53:23 [+1300], Olly Betts wrote: > Upstream addressed this by avoiding linking libxapianbackend.so to > openssl (apparently it doesn't use it anyway): > > https://github.com/FabriceColin/pinot/commit/3a40d5abe159a106f3aabaedf1a199020946b3b5 pinot has currently two RC bugs and failed to build during the curl4 transition / binNMU. Does it make sense to add the two patches (Olly pointed to) and upload it or would a RM make sense? > Cheers, > Olly > Sebastian
Bug#833692: pinot: links GPLv2+ code with OpenSSL
On Thu, May 31, 2018 at 12:22:58AM +0200, Sebastian Andrzej Siewior wrote: > pinot has currently two RC bugs and failed to build during the curl4 > transition / binNMU. > Does it make sense to add the two patches (Olly pointed to) and upload > it or would a RM make sense? Popcon suggests pinot usage is low: https://qa.debian.org/popcon.php?package=pinot I'm not sure there's really a direct equivalent though, so it seems worth uploading with at least the RC fixes. I can prepare an upload (or happy for someone else to). Jonas: Are you still interested in maintaining pinot? I ask because it's had RC bugs open for a long time without any maintainer response, and the last maintainer upload was over five years ago now. Let me know and if not I can orphan or adopt in my upload. Cheers, Olly
Bug#833692: pinot: links GPLv2+ code with OpenSSL
Package: pinot Version: 1.05-1.1+b1 Severity: serious Justification: Policy 2.2.1 Bad news everyone - pinot links libxapian (which is GPLv2+) and openssl (which has a GPLv2+-incompatible advertising clause in its licence) into the same binary: $ ldd /usr/lib/pinot/backends/libxapianbackend.so|grep 'xapian\|ssl' libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x7f079530e000) libxapian.so.22 => /usr/lib/x86_64-linux-gnu/libxapian.so.22 (0x7f0794aa6000) $ dpkg -S /usr/lib/pinot/backends/libxapianbackend.so pinot: /usr/lib/pinot/backends/libxapianbackend.so I'm part of Xapian upstream, and with that hat on I can say we aren't able to add an exception clause to the licence as there are copyright holders who aren't interested in relicensing. In the long term we're hoping to eliminate the non-relicensable code from libxapian and release it under a more liberal licence, but that's not imminent - a shorter-term way to resolve this for pinot in Debian is needed. It looks to me like you can probably build-depend on libcurl4-gnutls-dev or libcurl4-nss-dev instead of libcurl4-openssl-dev (and drop libssl-dev) except that the upstream configure script thinks it needs openssl if `curl-config --features|grep -i SSL` is non-empty. Cheers, Olly signature.asc Description: PGP signature
Bug#833692: pinot: links GPLv2+ code with OpenSSL
Control: tags -1 + fixed-upstream patch Upstream addressed this by avoiding linking libxapianbackend.so to openssl (apparently it doesn't use it anyway): https://github.com/FabriceColin/pinot/commit/3a40d5abe159a106f3aabaedf1a199020946b3b5 Cheers, Olly
