Bug#1033136: marked as done (chromium: Remove old Unicode DFSG-non-free license)

[Debian Bug Tracking System]

Your message dated Wed, 08 Nov 2023 11:43:00 +0000
with message-id <e1r0gxy-003z53...@fasolo.debian.org>
and subject line Bug#1033136: fixed in chromium 119.0.6045.123-1
has caused the Debian Bug report #1033136,
regarding chromium: Remove old Unicode DFSG-non-free license
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: chromium
Version: 111.0.5563.64-1
Severity: wishlist

Unicode produced a number of files years ago that contained a problematic 
license with the following restriction:

"Unicode, Inc. hereby grants the right to freely use the information supplied 
in this file in the creation of products supporting the Unicode Standard"

This is not free because it prevents the use of the file in ways that do not 
support the Unicode standard.

In 2004 Unicode relicensed their files under a different license that does not 
contain this restriction.

These is their current copyright and terms of use statement:

http://www.unicode.org/copyright.html

Which links to their current license:

https://www.unicode.org/license.txt

For many years, Chromium integrated an older copy of `Convert-UTF` with the 
problematic license. When the problem was brought to their attention they 
updated the file's license.

https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270

https://chromium.googlesource.com/breakpad/breakpad/+/14bbefbd9600e08d6a34d7250faa8bc9dba2113e%5E%21/

The Debian Chromium package currently includes three other files that still 
contain this problematic license in their headers.

src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_10-1998.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_11-2001.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_14-1998.ucm

Even though these files are contained under the `chromium` subdirectory, they 
do not exist in the upstream Chromium git repository:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/third_party/

I am uncertain where exactly they enter the stream of code that is packaged as 
Chromium on Debian.  Wherever it is, they can be updated with the correct 
license.

Identical files (except for the licenses) are found in the Unicode GitHub 
repository:

https://github.com/unicode-org/icu/tree/main/icu4c/source/data/mappings

These were updated to the non-problematic license in 2015:

https://unicode-org.atlassian.net/browse/ICU-22007

A copy of the bad license also appears in:

src/3rdparty/chromium/third_party/breakpad/breakpad/LICENSE

It needs to be removed, and, if breakpad uses the ICU files, replaced with the 
license at:

https://www.unicode.org/license.txt

Qt WebEngine includes the same problematic files.  There is an upstream bug 
filed with Qt at:

https://bugreports.qt.io/browse/QTBUG-112008

There is also a Lintian bug regarding the detection of this problematic license:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854209

--- End Message ---

--- Begin Message ---

Source: chromium
Source-Version: 119.0.6045.123-1
Done: Andres Salomon <dilin...@debian.org>

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilin...@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 23:49:10 -0500
Source: chromium
Architecture: source
Version: 119.0.6045.123-1
Distribution: unstable
Urgency: high
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Andres Salomon <dilin...@debian.org>
Closes: 1033136
Changes:
 chromium (119.0.6045.123-1) unstable; urgency=high
 .
   * New upstream security release.
     - CVE-2023-5996: Use after free in WebAudio. Reported by
       Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023.
   * Replace libgl1-mesa-dev build dependency with libgl-dev.
   * Drop d/patches/system/convertutf.patch; license issue has been fixed.
   * d/copyright: stop deleting convert_UTF.* and document Unicode copyright
     (closes: #1033136).
   * d/patches/ppc64le/fixes/fix-breakpad-compile.patch: refresh due to 
convertutf
     change.
Checksums-Sha1:
 911547e0aec4064852fdf19fbc2c3bfc86c4e3b8 3689 chromium_119.0.6045.123-1.dsc
 0a1423acf6a03a30888395b8d7b658cbed67b287 784724636 
chromium_119.0.6045.123.orig.tar.xz
 b23e13fb01261c0a8f0047084591e99add954c31 357152 
chromium_119.0.6045.123-1.debian.tar.xz
 c178a71d58e7a17eb55a8ec8b65464473ddb9959 21031 
chromium_119.0.6045.123-1_source.buildinfo
Checksums-Sha256:
 f82eddd2a0e396305fbb1e2798b8d85ca22f7ae20929375af3269f6e5d65cca0 3689 
chromium_119.0.6045.123-1.dsc
 926b81d29943867487487f0bbe3ffb7c4da397e002def1487678bea569034bf1 784724636 
chromium_119.0.6045.123.orig.tar.xz
 76a7c9763fb4a2930cdf9263c60d96e62a673649998428bdec16de70ff24d71d 357152 
chromium_119.0.6045.123-1.debian.tar.xz
 dad127e0da22a2ee67518d62b73788b5a44ab74107faa7bbc3d0a456d8a92197 21031 
chromium_119.0.6045.123-1_source.buildinfo
Files:
 2f36e6eaf11c470489374623f9400311 3689 web optional 
chromium_119.0.6045.123-1.dsc
 d35bc8415303181552464684141f1efd 784724636 web optional 
chromium_119.0.6045.123.orig.tar.xz
 32bc8f723500ada99bb3dce224833588 357152 web optional 
chromium_119.0.6045.123-1.debian.tar.xz
 f7aeb488b0a6d50c74e77729c1efa9a8 21031 web optional 
chromium_119.0.6045.123-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVLZzEUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjdUxg/9GPMJDJulEL05QBN57ppBUkKC/cLj
qyfSYkIyOcBTczR9Mc1urg5CWrfFqSzGr0OPY3qJ262qhZGUVz9APb705NuuUzTM
KuW3qLPftlOZsUTvbWUTvH7pidvnoiUjrdlSN1NJnm7CpTW09kfqcFDhl4AoXQ53
DuuNKIC+JPKjLuzgspIxe0miar40zk6GY+rda8PnXeDWhFKQ2p41CaO44oXFWYRv
zRdX284Zx/ssgESMGxTng8agDT8CEA6ljM+UsxCxMY5XgYMfY0g4T58MfciaVBJG
QHvkgehUsFd5uF0H/2K87WJsajosQ5ZJYy+dADEkbfm9wMDcSSjjGr9w8TWyGmah
hHAFG4lGKu+HkPEJ5ATbVi8sRT68y5LRAn9hSk/PEfMtKd7DOeFiLdolfpf4nIWa
69vck9+DLNwwy5E+2UaX685wgV1hK+JjvNcQjn9QwzdJkFEitHvc6ASxKrNZw+Xb
2q3SZ+ysbZMsrr+arHcKS2RvadbjjKrYoutjW+sQ/zSGVBycJj1sQdrUSkNy5sjD
efPSTOsrs5wxirqhWXGRjPT4m5ZW9zEAzMua94/rRkwhztHXnA3rS/OXnHpnPbj+
NWWLOmiH8me5N9sIx6yqTRYNpvsC5TbocTEFD3fSlGpZ7elkgklIrqi9npVOWR5A
2yobMRQy8uM2hhY=
=yyZr
-----END PGP SIGNATURE-----

--- End Message ---