Bug#1033136: marked as done (chromium: Remove old Unicode DFSG-non-free license)

[Debian Bug Tracking System]

Your message dated Sun, 19 Nov 2023 15:17:10 +0000
with message-id <e1r4jxq-005hsq...@fasolo.debian.org>
and subject line Bug#1033136: fixed in chromium 119.0.6045.123-1~deb12u1
has caused the Debian Bug report #1033136,
regarding chromium: Remove old Unicode DFSG-non-free license
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: chromium
Version: 111.0.5563.64-1
Severity: wishlist

Unicode produced a number of files years ago that contained a problematic 
license with the following restriction:

"Unicode, Inc. hereby grants the right to freely use the information supplied 
in this file in the creation of products supporting the Unicode Standard"

This is not free because it prevents the use of the file in ways that do not 
support the Unicode standard.

In 2004 Unicode relicensed their files under a different license that does not 
contain this restriction.

These is their current copyright and terms of use statement:

http://www.unicode.org/copyright.html

Which links to their current license:

https://www.unicode.org/license.txt

For many years, Chromium integrated an older copy of `Convert-UTF` with the 
problematic license. When the problem was brought to their attention they 
updated the file's license.

https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270

https://chromium.googlesource.com/breakpad/breakpad/+/14bbefbd9600e08d6a34d7250faa8bc9dba2113e%5E%21/

The Debian Chromium package currently includes three other files that still 
contain this problematic license in their headers.

src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_10-1998.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_11-2001.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_14-1998.ucm

Even though these files are contained under the `chromium` subdirectory, they 
do not exist in the upstream Chromium git repository:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/third_party/

I am uncertain where exactly they enter the stream of code that is packaged as 
Chromium on Debian.  Wherever it is, they can be updated with the correct 
license.

Identical files (except for the licenses) are found in the Unicode GitHub 
repository:

https://github.com/unicode-org/icu/tree/main/icu4c/source/data/mappings

These were updated to the non-problematic license in 2015:

https://unicode-org.atlassian.net/browse/ICU-22007

A copy of the bad license also appears in:

src/3rdparty/chromium/third_party/breakpad/breakpad/LICENSE

It needs to be removed, and, if breakpad uses the ICU files, replaced with the 
license at:

https://www.unicode.org/license.txt

Qt WebEngine includes the same problematic files.  There is an upstream bug 
filed with Qt at:

https://bugreports.qt.io/browse/QTBUG-112008

There is also a Lintian bug regarding the detection of this problematic license:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854209

--- End Message ---

--- Begin Message ---

Source: chromium
Source-Version: 119.0.6045.123-1~deb12u1
Done: Andres Salomon <dilin...@debian.org>

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilin...@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 23:49:10 -0500
Source: chromium
Architecture: source
Version: 119.0.6045.123-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Andres Salomon <dilin...@debian.org>
Closes: 1033136
Changes:
 chromium (119.0.6045.123-1~deb12u1) bookworm-security; urgency=high
 .
   * New upstream security release.
     - CVE-2023-5996: Use after free in WebAudio. Reported by
       Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023.
   * Replace libgl1-mesa-dev build dependency with libgl-dev.
   * Drop d/patches/system/convertutf.patch; license issue has been fixed.
   * d/copyright: stop deleting convert_UTF.* and document Unicode copyright
     (closes: #1033136).
   * d/patches/ppc64le/fixes/fix-breakpad-compile.patch: refresh due to 
convertutf
     change.
Checksums-Sha1:
 ee0fae16613166ab0228ff2ff2fd2aa270f8b57a 3721 
chromium_119.0.6045.123-1~deb12u1.dsc
 0a1423acf6a03a30888395b8d7b658cbed67b287 784724636 
chromium_119.0.6045.123.orig.tar.xz
 af1bf794f4af16a5f2138aa7107fa77f2be56373 357776 
chromium_119.0.6045.123-1~deb12u1.debian.tar.xz
 da72ddb040c77fde051d25b823f346e19ce0b5ac 21349 
chromium_119.0.6045.123-1~deb12u1_source.buildinfo
Checksums-Sha256:
 97ae6737cc2782b584e0bb3154a8560cbb95fe824677ed2164d4909772b69ba0 3721 
chromium_119.0.6045.123-1~deb12u1.dsc
 926b81d29943867487487f0bbe3ffb7c4da397e002def1487678bea569034bf1 784724636 
chromium_119.0.6045.123.orig.tar.xz
 72715bba158d4541917f84fd650bd7960bc1f625ade90ee5b1e6709301d54f7b 357776 
chromium_119.0.6045.123-1~deb12u1.debian.tar.xz
 70e1882bde0eecab6d6b6c6270d69c90d8695fad8f57987b9f95f18b47f5e12d 21349 
chromium_119.0.6045.123-1~deb12u1_source.buildinfo
Files:
 d2786c6b8498c4a7b61596a3351c6e3a 3721 web optional 
chromium_119.0.6045.123-1~deb12u1.dsc
 d35bc8415303181552464684141f1efd 784724636 web optional 
chromium_119.0.6045.123.orig.tar.xz
 171f0b1f2cfee0999c19397a3500661d 357776 web optional 
chromium_119.0.6045.123-1~deb12u1.debian.tar.xz
 131c786d1f3283a0cc0fa61774fa14ff 21349 web optional 
chromium_119.0.6045.123-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVL9mMUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8Nudjc4lBAAncO4neRlwHHF9I7YUx4VcL6bnhLl
fn9t4DeAcHOhk+wzA2fuABLoh+AVF/6yYbDVzutNc29UO+MEVO+4wqaVj53SNr1n
egQ6yUXoXi/MxsYB8n1sx9axSY7LXCJYpGRYGA5GNWFWAal/rawlAsUdqKncBU4P
IeBvB6ZzCJpDVCZdCnG2EbLQqKI3Gow7qmqdUrkqQPHUf5es/P4r8i9lXYEdGuzZ
qGXjj9uQUTMu8139MaJS9wbcJRl0zd/1g/dzM9Rh3j6X6hOnyXyGJsD09GHgbHCG
LKDVmHcY2YUS++M/JniCuSBCRVRTZGaQpGWlQ6xoCRaiZQBt2GTgp2MvDeVcAtDF
R0LgwF0K6CaOuRtdcr8vuHw6CQFIjZ+c4V8CkAV2Ppee3Uff366qzLC+dyU31YyO
PiHhbVcrM5WbQ/PJagsKXDezrCf2kp6MeftHfTzMW03VS4sEeCPiUYr9pRaAnzGv
yZtJ3Q2KLO6eDBlSPCXdke87wnPyVlJzR1yrbROtkcQ52MSrPTLe5BMyRVUngTwQ
Yt5LgHcITlTvC2r2qFXJcGMYMvS2Peo4AJHTOvcUIcCQYEthKYrOfuHMgHVBnDHZ
o+22oF4vJoe3VlSDuKmMD6BevXUkZw4WAIcIJrBez7vtyoNEH8OwpFOsdUcWWI+4
I46/Me1dayxfJ0I=
=qCOV
-----END PGP SIGNATURE-----

--- End Message ---