Bug#823100: ghostscript: includes two files claimed to be under a non-free Unicode license
On Sun, 18 Sep 2016 15:49:03 +0200 Jonas Smedegaard wrote: [...] > I have reported this upstream. Will register at the secure-testing team > as a case of Embedded Code Copy as well. Thanks for doing so! I hope the issue may be solved soon. Bye. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpm9Uk1_VOrY.pgp Description: PGP signature
Bug#838212: Local scanners no longer available to saned
Package: hplip, sane-utils Severity: important A while ago, hplip was "fixed" with a hack to work around a deadlock. I've written about this on the saned mailing list: https://lists.alioth.debian.org/pipermail/sane-devel/2016-March/034413.html Long story short: the "workaround" was to take away saned's access to remote scanners (local_only=1), meaning that all setups where saned was used to export networked scanners (in a "DMZ" in our case) to the local network are now broken. I understand that generally saned needs not export remote scanners, as clients could just access them directly, but there is a benefit in centralising all access via saned, which allows better access control and logging than many of the network scanners available on the market. If possible, it'd be great if the local_only setting could be made configurable, at least for hpaio, so that for a setting like ours, where the is no deadlock, I can get the desired behaviour. -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages hplip depends on: ii adduser3.115 ii coreutils 8.25-2 ii cups 2.1.4-4 ii hplip-data 3.16.8+repack0-2 ii libc6 2.24-3 ii libcups2 2.1.4-4 ii libdbus-1-31.10.10-1 ii libhpmud0 3.16.8+repack0-2 ii libsane1.0.25+git20150927-1 ii libsane-hpaio 3.16.8+repack0-2 ii libsnmp30 5.7.3+dfsg-1.5 ii libusb-1.0-0 2:1.0.20-1 ii lsb-base 9.20160629 ii policykit-10.105-16 ii printer-driver-hpcups 3.16.8+repack0-2 ii python33.5.1-4 ii python3-dbus 1.2.4-1 ii python3-gi 3.21.92-1 ii python3-pexpect4.2.0-1 ii python3-pil3.3.1-1 ii python3-reportlab 3.3.0-1 ii wget 1.18-2+b1 Versions of packages hplip recommends: pn avahi-daemon pn printer-driver-postscript-hp ii sane-utils1.0.26~git20151121-1 Versions of packages hplip suggests: pn hplip-doc pn hplip-gui pn python3-notify2 pn system-config-printer -- no debconf information -- .''`. martin f. krafft @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
Processed: found 823100 in 8.61.dfsg.1~svn8187-1
Processing commands for cont...@bugs.debian.org: > found 823100 8.61.dfsg.1~svn8187-1 Bug #823100 [ghostscript] ghostscript: includes two files claimed to be under a non-free Unicode license Marked as found in versions ghostscript/8.61.dfsg.1~svn8187-1. > thanks Stopping processing here. Please contact me if you need assistance. -- 823100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823100 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#823100: ghostscript: includes two files claimed to be under a non-free Unicode license
Hi Francesco, Quoting Francesco Poli (wintermute) (2016-04-30 21:32:26) > I noticed that two files included in the ghostscript source package > are documented in the debian/copyright file as distributed under the > terms of a non-free Unicode license. > > The two files are: > > Files: base/ConvertUTF.c >base/ConvertUTF.h > Copyright: 2001-2004, Unicode, Inc > License: Unicode [...] > At the very least, this license does not grant any permission to > modify the files (thus failing DFSG#3). Moreover, the license grant > seems to attempt to restrict use to "products supporting the Unicode > Standard" (thus failing DFSG#6). > See also https://lists.debian.org/debian-legal/2015/12/msg0.html > where an FTP Assitant confirmed that files which restrict "use to only > that of implementing a standard" are not fit for Debian main. > > Therefore, the two files under discussion appear to be non-free. Seems you are right. > However, this issue could possibly be easy to solve. > If Unicode Inc has published new versions of the two files in > more recent times, the updated versions should be under the > current unicode.org public license, as explained in > http://www.unicode.org/copyright.html#Exhibit1 > > Please check whether newer versions of those files are released > in one of the Unicode web site areas mentioned in the cited Exhibit1. > The newer versions could perhaps be used as replacements for the > non-free ones. Unfortunately, upstream seems to have _dropped_ the code due to being buggy and unmaintained since 2004, according to http://unicode.org/forum/viewtopic.php?f=9&t=90 - summarized at http://stackoverflow.com/questions/2685004/why-does-unicode-org-no-longer-offer-a-reference-utf-8-16-32-converter Above forum discussion mentions only version numbers (up to 1.4 and a possible alpha of 1.5), the year I found by looking at latest available snapshot of the code at archive.org and the timestamps of that page: https://web.archive.org/web/20081228105917/http://www.unicode.org/Public/PROGRAMS/CVTUTF/ This gets worse: Seems many more packages embed this code: https://codesearch.debian.net/search?q=ConversionResult+ConvertUTF8toUTF16 I have reported this upstream. Will register at the secure-testing team as a case of Embedded Code Copy as well. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Processed: bug 823100 is forwarded to http://bugs.ghostscript.com/show_bug.cgi?id=697121
Processing commands for cont...@bugs.debian.org: > forwarded 823100 http://bugs.ghostscript.com/show_bug.cgi?id=697121 Bug #823100 [ghostscript] ghostscript: includes two files claimed to be under a non-free Unicode license Set Bug forwarded-to-address to 'http://bugs.ghostscript.com/show_bug.cgi?id=697121'. > thanks Stopping processing here. Please contact me if you need assistance. -- 823100: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823100 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
