Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-24 Thread Domenico Andreoli
On Fri, Jul 22, 2005 at 07:15:18PM +0200, Elimar Riesebieter wrote:
> On Mon, 18 Jul 2005 the mental interface of
> Domenico Andreoli told:
> 
> [...]
> > i doubt seriously a new package like libcurl3-gnutls is appropriate,
> > but let me know your opinion.
> > 
> > is this stuff urgent?
> Yes!

unfortunately heimdal bug #316980 makes curl FTBS :(

regards
domenico

-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-22 Thread Elimar Riesebieter
On Mon, 18 Jul 2005 the mental interface of
Domenico Andreoli told:

[...]
> i doubt seriously a new package like libcurl3-gnutls is appropriate,
> but let me know your opinion.
> 
> is this stuff urgent?
Yes!

Elimar

-- 
  Learned men are the cisterns of knowledge, 
  not the fountainheads ;-)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-20 Thread Elimar Riesebieter
On Wed, 20 Jul 2005 the mental interface of
Marco d'Itri told:

> On Jul 20, sean finney <[EMAIL PROTECTED]> wrote:
[...] 
> i know i'm repeating myself here, but the real fix is to politely
> > solicit the upstream author to change or add a clause to their license
> > that makes such allowances.  that, or change the build options of the
> No, the real fix is to convert as many programs as possible from openssl
> to gnutls, starting with libraries.
Right, let's start!

Elimar


-- 
  Experience is something you don't get until 
  just after you need it!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-20 Thread Marco d'Itri
On Jul 20, sean finney <[EMAIL PROTECTED]> wrote:

> i think that would solve the problem by muting the symptoms.  what happens
> when the next free-but-not-quite-gpl-compatible licensed software is
> linked against libcurl (or something similar)?
Not relevant, gnutls is LGPL'ed.

> i know i'm repeating myself here, but the real fix is to politely
> solicit the upstream author to change or add a clause to their license
> that makes such allowances.  that, or change the build options of the
No, the real fix is to convert as many programs as possible from openssl
to gnutls, starting with libraries.

-- 
ciao,
Marco


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-19 Thread sean finney
hi,

On Mon, Jul 18, 2005 at 09:45:09PM +0200, Domenico Andreoli wrote:
> i saw the bug report, i'm sorry to not have commented the request which
> i find absolutely reasonable. i'll try to figure out if curl may suffer
> from limitations due to the use of gnutls in place of openssl.

i would guess that there aren't any, though that is making the perhaps
naïve assumption that libcurl-dev properly compartmentalizes away the
ssl code from its own api.

> i doubt seriously a new package like libcurl3-gnutls is appropriate,
> but let me know your opinion.

i think that would solve the problem by muting the symptoms.  what happens
when the next free-but-not-quite-gpl-compatible licensed software is
linked against libcurl (or something similar)?

i know i'm repeating myself here, but the real fix is to politely
solicit the upstream author to change or add a clause to their license
that makes such allowances.  that, or change the build options of the
gpl packages that are linking (directly or indirectly) against such
libraries so that they do not.

if you want to switch support for libcurl to gnutls in the meantime,
it would be a very nice thing of you to do, but it neither solves
the problem in the larger scheme of things nor would i consider it an
obligation on your part to do so.



sean


-- 


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-19 Thread Domenico Andreoli
On Sun, Jul 17, 2005 at 03:19:54PM -0400, sean finney wrote:
> On Sun, Jul 17, 2005 at 09:04:57PM +0200, Elimar Riesebieter wrote:
> > Why not building curl --without-sssl and --with-gnutls=/usr? Maybe a
> > NMU?
> 
> this is definitely NOT a reason to NMU libcurl.  remember that it is
> your package that is "broken".  of course you could still file a
> wishlist bug against libcurl asking to compile against gnutls
> instead, but it's up to the maintainer in question to decide.

oh, many thanks for the stop :)

i saw the bug report, i'm sorry to not have commented the request which
i find absolutely reasonable. i'll try to figure out if curl may suffer
from limitations due to the use of gnutls in place of openssl.

i doubt seriously a new package like libcurl3-gnutls is appropriate,
but let me know your opinion.

is this stuff urgent?

cheers
domenico

-[ Domenico Andreoli, aka cavok
 --[ http://people.debian.org/~cavok/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Bernhard R. Link
* sean finney <[EMAIL PROTECTED]> [050717 21:20]:
> On Sun, Jul 17, 2005 at 09:04:57PM +0200, Elimar Riesebieter wrote:
> > Why not building curl --without-sssl and --with-gnutls=/usr? Maybe a
> > NMU?
> 
> this is definitely NOT a reason to NMU libcurl.  remember that it is
> your package that is "broken".  of course you could still file a
> wishlist bug against libcurl asking to compile against gnutls
> instead, but it's up to the maintainer in question to decide.

Well, linking against openssl where gnutls support seems to be
available is at least an annoyance. The alternative is
to upload an alternative libcurl, duplicating the source code,
making it harder for everyone involved. So it is more than just
a avarage wishlist-bug where the maintainer's opinion is the last 
word.

Hochachtungsvoll,
  Bernhard R. Link


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread sean finney
hi,

On Mon, Jul 18, 2005 at 03:40:30PM +0200, Olaf van der Spek wrote:
> On 7/18/05, sean finney <[EMAIL PROTECTED]> wrote:
> > yes, and the same with libmysqlclient, which is why there's no longer ssl
> > support in the mysql packages :(
> 
> Wouldn't it be possible to support SSL transparently in such a way
> that the original package doesn't need to be modified?

not without some major dlopen-style hackery, which i don't imagine
upstream would support and neither christian nor i have the
time/interest/desire to see done in debian-specific patches.

On Mon, Jul 18, 2005 at 04:36:52PM +0200, Torsten Landschoff wrote:
> On Mon, Jul 18, 2005 at 09:29:46AM -0400, sean finney wrote:
> > yes, and the same with libmysqlclient, which is why there's no longer ssl
> > support in the mysql packages :(
> 
> That kind of ... sucks!? No hope have the support GnuTLS or something?

it's totally feasible that it (and any other ssl-needing library) could
be patched to use gnutls instead of openssl, but i'm not familiar enough
with either API and would really prefer upstream to approve/include
the functionality.  if somebody did the hard work and provided a patch,
and the mysql folks sounded somewhat postitive about it, i'd consider
the possibility.

of course this would all be moot if upstream authors got a clue
about the full ramifications of the GPL with their software...

On Mon, Jul 18, 2005 at 07:57:11PM +0200, Bernhard R. Link wrote:
> Well, linking against openssl where gnutls support seems to be
> available is at least an annoyance. The alternative is
> to upload an alternative libcurl, duplicating the source code,
> making it harder for everyone involved. So it is more than just
> a avarage wishlist-bug where the maintainer's opinion is the last 
> word.

the problem, from what i understand and from what istr, is that the
API's aren't bit-for-bit compatible.  given that openssl is not likely
to change their license scheme any time soon, moving to something like
gnutls does seem the preferable way to go supposing that someone is
willing to do and maintain the work.

however, it still very much is ultimately the maintainer's perogative
whether or not to accept such an option, at least in the situation
where upstream only supports openssl.  if upstream supports both,
you probably won't have a hard time convincing them to change over,
and if not you'd at least have a leg to stand on with the technical
comittee.


sean


-- 


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Torsten Landschoff
On Mon, Jul 18, 2005 at 09:29:46AM -0400, sean finney wrote:
> > The same issues as with libcurl applied to libldap2. They were
> > considered a bug in libldap2 back then because half the distribution
> > links it. Gave me a lot of recurring head aches. 
> 
> yes, and the same with libmysqlclient, which is why there's no longer ssl
> support in the mysql packages :(

That kind of ... sucks!? No hope have the support GnuTLS or something?

Greetings

Torsten


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Olaf van der Spek
On 7/18/05, sean finney <[EMAIL PROTECTED]> wrote:
> hi,
> 
> On Mon, Jul 18, 2005 at 11:06:13AM +0200, Torsten Landschoff wrote:
> > On Sun, Jul 17, 2005 at 03:19:54PM -0400, sean finney wrote:
> > > this is definitely NOT a reason to NMU libcurl.  remember that it is
> > > your package that is "broken".  of course you could still file a
> >
> > The same issues as with libcurl applied to libldap2. They were
> > considered a bug in libldap2 back then because half the distribution
> > links it. Gave me a lot of recurring head aches.
> 
> yes, and the same with libmysqlclient, which is why there's no longer ssl
> support in the mysql packages :(

Wouldn't it be possible to support SSL transparently in such a way
that the original package doesn't need to be modified?



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread sean finney
hi,

On Mon, Jul 18, 2005 at 11:06:13AM +0200, Torsten Landschoff wrote:
> On Sun, Jul 17, 2005 at 03:19:54PM -0400, sean finney wrote:
> > this is definitely NOT a reason to NMU libcurl.  remember that it is
> > your package that is "broken".  of course you could still file a
> 
> The same issues as with libcurl applied to libldap2. They were
> considered a bug in libldap2 back then because half the distribution
> links it. Gave me a lot of recurring head aches. 

yes, and the same with libmysqlclient, which is why there's no longer ssl
support in the mysql packages :(


sean


-- 


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Steve Langasek
On Mon, Jul 18, 2005 at 05:16:27AM -0500, Peter Samuelson wrote:
> 
> [Bartosz Fenski]
> > Seems that part of developers think that indirect linking with
> > OpenSSL is ok, and part think it's not.

> Yeah.  Well.  Stand back and look at why this 'linking' thing matters
> in the first place.  The point is to determine whether one work is a
> "derivative" of another work.

False.  This is a requirement imposed by section 3 of the GPL, which makes
no mention of derivative works.

> If it is not, copyright law doesn't let the author of the second work
> have any influence on the licensing of the first.

It lets the author of the second work control the circumstances under which
you are allowed to distribute *that work*.

-- 
Steve Langasek
postmodern programmer


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Peter Samuelson

[Bartosz Fenski]
> Seems that part of developers think that indirect linking with
> OpenSSL is ok, and part think it's not.

Yeah.  Well.  Stand back and look at why this 'linking' thing matters
in the first place.  The point is to determine whether one work is a
"derivative" of another work.  If it is not, copyright law doesn't let
the author of the second work have any influence on the licensing of
the first.

If you link to libldap2 or libcurl3 but your program would work just as
well whether or not those libraries have openssl support, it's really
hard to argue that *you* are deriving your code from Eric Young or the
OpenSSL project.  Or vice versa.  You wrote your code to call LDAP
functions, or web downloading functions, you didn't care then and don't
care now how those functions work.  Didn't care then and don't care now
whether they can utilize https:// or ldaps:// at runtime.  The
functions themselves were licensed to you in a manner you could use.

The whole "linking is deriving" thing is shaky for other reasons too.
For instance, it's pretty widely known or believed that mere interfaces
can't be copyrighted.  And when you get right down to it, when your
program uses a library, it's really just using the published interface.
But that's an argument for another day, and probably another list.

> What is an official statement?

There is none.  Debian generally errs very conservatively with regard
to license violations, though, because of the Tentacles of Evil
principle.  That is: if we ship some software and the authors don't
mind how we're doing it but we're technically in violation of some
license provision - and later one of the authors is bought out by some
Big Evil Corporation - then the B.E.C. can cause a lot of trouble for
Debian and our users.  This is a situation Debian tries very hard to
avoid.


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Bartosz Fenski aka fEnIo
On Mon, Jul 18, 2005 at 11:07:41AM +0200, Torsten Landschoff wrote:
> > > apt-get remove --purge libssl0.9.7 gives me tons of packages. Just
> > > an estimation: We need to repack half of all packages then?
> > 
> > NO.[1]
> > 
> > All that needs to happen is that GPLed packages without an OpenSSL
> > linking exception either need to:
> > 
> >   1) Get a linking exception.
> >   2) Stop linking with OpenSSL.
>  
> How about indirect linking with OpenSSL? I'd really like to have libldap
> use OpenSSL again but I was told this breaks the LDAP support of a lot
> of packages since linking LDAP would pull OpenSSL.

Seems that part of developers think that indirect linking with OpenSSL is
ok, and part think it's not.

What is an official statement?

regards
fEnIo

-- 
  ,''`.  Bartosz Fenski | mailto:[EMAIL PROTECTED] | pgp:0x13fefc40 | irc:fEnIo
 : :' :   32-050 Skawina - Glowackiego 3/15 - w. malopolskie - Poland
 `. `'   phone:+48602383548 | proud Debian maintainer and user
   `-  http://skawina.eu.org | jid:[EMAIL PROTECTED] | rlu:172001


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Torsten Landschoff
On Sun, Jul 17, 2005 at 11:09:04PM +0300, Don Armstrong wrote:
> On Sun, 17 Jul 2005, Elimar Riesebieter wrote:
> > apt-get remove --purge libssl0.9.7 gives me tons of packages. Just
> > an estimation: We need to repack half of all packages then?
> 
> NO.[1]
> 
> All that needs to happen is that GPLed packages without an OpenSSL
> linking exception either need to:
> 
>   1) Get a linking exception.
>   2) Stop linking with OpenSSL.
 
How about indirect linking with OpenSSL? I'd really like to have libldap
use OpenSSL again but I was told this breaks the LDAP support of a lot
of packages since linking LDAP would pull OpenSSL.

Greetings

Torsten


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Torsten Landschoff
On Sun, Jul 17, 2005 at 03:19:54PM -0400, sean finney wrote:
> > Why not building curl --without-sssl and --with-gnutls=/usr? Maybe a
> > NMU?
> 
> this is definitely NOT a reason to NMU libcurl.  remember that it is
> your package that is "broken".  of course you could still file a

The same issues as with libcurl applied to libldap2. They were
considered a bug in libldap2 back then because half the distribution
links it. Gave me a lot of recurring head aches. 

Basically I'd vote for avoiding license bombs like this in our archive.
Most software is GPL and upstream seldom knows about those issues.

Greetings

Torsten


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-18 Thread Damian Pietras
On Mon, Jul 18, 2005 at 01:02:53AM -0500, Peter Samuelson wrote:
> 
> [Don Armstrong]
> > All that needs to happen is that GPLed packages without an OpenSSL
> > linking exception either need to:
> 
> 3) For indirect dependencies: make sure you're only using the bits
>of the (for example) libcurl ABI which work whether or not it is
>compiled against openssl.  In that case it's really hard to
>argue you're "linking to openssl".

This is true for MOC, like for ogg123 whis is also licensed using "pure"
GPL.

-- 
Damian Pietras


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread Peter Samuelson

[Don Armstrong]
> All that needs to happen is that GPLed packages without an OpenSSL
> linking exception either need to:
> 
>   1) Get a linking exception.
>   2) Stop linking with OpenSSL.

3) For indirect dependencies: make sure you're only using the bits
   of the (for example) libcurl ABI which work whether or not it is
   compiled against openssl.  In that case it's really hard to
   argue you're "linking to openssl".


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread Don Armstrong
On Sun, 17 Jul 2005, Elimar Riesebieter wrote:
> apt-get remove --purge libssl0.9.7 gives me tons of packages. Just
> an estimation: We need to repack half of all packages then?

NO.[1]

All that needs to happen is that GPLed packages without an OpenSSL
linking exception either need to:

  1) Get a linking exception.

  2) Stop linking with OpenSSL.

Nothing more needs to be done.


Don Armstrong

1: This has been seriously discussed in hideous detail at least 10
times already. The list archives are your friend.
-- 
Grimble left his mother in the food store and went to the launderette
and watched the clothes go round. It was a bit like colour television
only with less plot.
 -- Clement Freud _Grimble_

http://www.donarmstrong.com  http://rzlab.ucr.edu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread Elimar Riesebieter
On Sun, 17 Jul 2005 the mental interface of
sean finney told:

> On Sun, Jul 17, 2005 at 08:21:00PM +0200, Elimar Riesebieter wrote:
> > I don't see a gpl'd alternative to curl for internet streaming. I am
> > thinking about to build moc --without-curl then :(
> 
> or you could always contact the author and inform them of their
> self-inflicted license violation.  in my experience, many authors
> don't realize the licensing problem and are more than willing to
> relicense/dual license/add exceptions for stuff like openssl.
> 
> > What about the fbi-package, raptor-utils-package and others who are using
> > libcurl3 as well?
> 
> if they are strict gpl and use libcurl, you should report bugs against them.

apt-get remove --purge libssl0.9.7 gives me tons of packages. Just
an estimation: We need to repack half of all packages then?

Elimar


-- 
  Planung:
  Ersatz des Zufalls durch den Irrtum.
-unknown-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread sean finney
On Sun, Jul 17, 2005 at 09:04:57PM +0200, Elimar Riesebieter wrote:
> Why not building curl --without-sssl and --with-gnutls=/usr? Maybe a
> NMU?

this is definitely NOT a reason to NMU libcurl.  remember that it is
your package that is "broken".  of course you could still file a
wishlist bug against libcurl asking to compile against gnutls
instead, but it's up to the maintainer in question to decide.

sean

-- 


signature.asc
Description: Digital signature


Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread Elimar Riesebieter
On Sun, 17 Jul 2005 the mental interface of
sean finney told:

> On Sun, Jul 17, 2005 at 08:21:00PM +0200, Elimar Riesebieter wrote:
> > I don't see a gpl'd alternative to curl for internet streaming. I am
> > thinking about to build moc --without-curl then :(
> 
> or you could always contact the author and inform them of their
> self-inflicted license violation.  in my experience, many authors
> don't realize the licensing problem and are more than willing to
> relicense/dual license/add exceptions for stuff like openssl.
> 
> > What about the fbi-package, raptor-utils-package and others who are using
> > libcurl3 as well?
> 
> if they are strict gpl and use libcurl, you should report bugs against them.

Damian can't. I asked him.

Why not building curl --without-sssl and --with-gnutls=/usr? Maybe a
NMU?

Elimar


-- 
  "Talking much about oneself can also 
   be a means to conceal oneself."
 -Friedrich Nietzsche


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: Who needs libcurl3? (was libcurl3-dev: A development package linked again gnutls needed)

2005-07-17 Thread sean finney
On Sun, Jul 17, 2005 at 08:21:00PM +0200, Elimar Riesebieter wrote:
> I don't see a gpl'd alternative to curl for internet streaming. I am
> thinking about to build moc --without-curl then :(

or you could always contact the author and inform them of their
self-inflicted license violation.  in my experience, many authors
don't realize the licensing problem and are more than willing to
relicense/dual license/add exceptions for stuff like openssl.

> What about the fbi-package, raptor-utils-package and others who are using
> libcurl3 as well?

if they are strict gpl and use libcurl, you should report bugs against them.


sean

-- 


signature.asc
Description: Digital signature