Bug#1033136: marked as done (chromium: Remove old Unicode DFSG-non-free license)

[Debian Bug Tracking System]

Your message dated Wed, 22 Nov 2023 13:17:34 +0000
with message-id <e1r5n6k-001cfj...@fasolo.debian.org>
and subject line Bug#1033136: fixed in chromium 119.0.6045.123-1~deb11u1
has caused the Debian Bug report #1033136,
regarding chromium: Remove old Unicode DFSG-non-free license
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1033136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: chromium
Version: 111.0.5563.64-1
Severity: wishlist

Unicode produced a number of files years ago that contained a problematic 
license with the following restriction:

"Unicode, Inc. hereby grants the right to freely use the information supplied 
in this file in the creation of products supporting the Unicode Standard"

This is not free because it prevents the use of the file in ways that do not 
support the Unicode standard.

In 2004 Unicode relicensed their files under a different license that does not 
contain this restriction.

These is their current copyright and terms of use statement:

http://www.unicode.org/copyright.html

Which links to their current license:

https://www.unicode.org/license.txt

For many years, Chromium integrated an older copy of `Convert-UTF` with the 
problematic license. When the problem was brought to their attention they 
updated the file's license.

https://bugs.chromium.org/p/google-breakpad/issues/detail?id=270

https://chromium.googlesource.com/breakpad/breakpad/+/14bbefbd9600e08d6a34d7250faa8bc9dba2113e%5E%21/

The Debian Chromium package currently includes three other files that still 
contain this problematic license in their headers.

src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_10-1998.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_11-2001.ucm
src/3rdparty/chromium/third_party/icu/source/data/mappings/iso-8859_14-1998.ucm

Even though these files are contained under the `chromium` subdirectory, they 
do not exist in the upstream Chromium git repository:

https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/third_party/

I am uncertain where exactly they enter the stream of code that is packaged as 
Chromium on Debian.  Wherever it is, they can be updated with the correct 
license.

Identical files (except for the licenses) are found in the Unicode GitHub 
repository:

https://github.com/unicode-org/icu/tree/main/icu4c/source/data/mappings

These were updated to the non-problematic license in 2015:

https://unicode-org.atlassian.net/browse/ICU-22007

A copy of the bad license also appears in:

src/3rdparty/chromium/third_party/breakpad/breakpad/LICENSE

It needs to be removed, and, if breakpad uses the ICU files, replaced with the 
license at:

https://www.unicode.org/license.txt

Qt WebEngine includes the same problematic files.  There is an upstream bug 
filed with Qt at:

https://bugreports.qt.io/browse/QTBUG-112008

There is also a Lintian bug regarding the detection of this problematic license:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854209

--- End Message ---

--- Begin Message ---

Source: chromium
Source-Version: 119.0.6045.123-1~deb11u1
Done: Andres Salomon <dilin...@debian.org>

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1033...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Salomon <dilin...@debian.org> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Nov 2023 23:49:10 -0500
Source: chromium
Architecture: source
Version: 119.0.6045.123-1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Andres Salomon <dilin...@debian.org>
Closes: 1033136
Changes:
 chromium (119.0.6045.123-1~deb11u1) bullseye-security; urgency=high
 .
   * New upstream security release.
     - CVE-2023-5996: Use after free in WebAudio. Reported by
       Huang Xilin of Ant Group Light-Year Security Lab via Tianfu Cup 2023.
   * Replace libgl1-mesa-dev build dependency with libgl-dev.
   * Drop d/patches/system/convertutf.patch; license issue has been fixed.
   * d/copyright: stop deleting convert_UTF.* and document Unicode copyright
     (closes: #1033136).
   * d/patches/ppc64le/fixes/fix-breakpad-compile.patch: refresh due to 
convertutf
     change.
Checksums-Sha1:
 98ddd88061bb76d044710d97aceb39c112600a14 3763 
chromium_119.0.6045.123-1~deb11u1.dsc
 0a1423acf6a03a30888395b8d7b658cbed67b287 784724636 
chromium_119.0.6045.123.orig.tar.xz
 baf544d54f9bf99864d46227e12c4a585c0534a2 1486104 
chromium_119.0.6045.123-1~deb11u1.debian.tar.xz
 0d1eddade9be72d1413c2d7447ff63cee4cad9b8 22872 
chromium_119.0.6045.123-1~deb11u1_source.buildinfo
Checksums-Sha256:
 00d5caabda327544782cc1fb077d4d5fa4d6fe14d206b5daa925eb4649eb5eb3 3763 
chromium_119.0.6045.123-1~deb11u1.dsc
 926b81d29943867487487f0bbe3ffb7c4da397e002def1487678bea569034bf1 784724636 
chromium_119.0.6045.123.orig.tar.xz
 9a82c1a5bb3b9696d44059523aa06daef727b0cdfb257ffa44f6cfd2e41980f7 1486104 
chromium_119.0.6045.123-1~deb11u1.debian.tar.xz
 1cd2edde0c53406f53102816be691334da2818935789a5f723696f70e204b3c6 22872 
chromium_119.0.6045.123-1~deb11u1_source.buildinfo
Files:
 50a533e6dca1ab688fdd239c9a99598c 3763 web optional 
chromium_119.0.6045.123-1~deb11u1.dsc
 d35bc8415303181552464684141f1efd 784724636 web optional 
chromium_119.0.6045.123.orig.tar.xz
 7e10346958f3f6a726ca93ed2a525513 1486104 web optional 
chromium_119.0.6045.123-1~deb11u1.debian.tar.xz
 1861ab80f4d907fbe9c29eae28740e2f 22872 web optional 
chromium_119.0.6045.123-1~deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVMEEsUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjfIGw//YbULtwEz2XMBlIewqZYsI7uPQcBg
Kdwd5lnyGI2U4FL1iYuDSA9o7lkIvQstt4GNbRPdvnDQVpbEkUU8Hyzjm2BOIGmJ
ngzRauqNthP5nwQcfpSevzCY+NMEKLUdKYV4ZkCRsGuPP+mewX0draBFmo+Z5PG/
osly++2v/A7y+tJiriT3ZePneopJVH4xZgWFF0iygRtrFBM/OzhUOqLnQQIhZwjK
SX8RvPaB9dN8dS4rWjVnmTAzjL1CWC79dNbJwcAS8/AD4pEHya0s5Rpd388Z5HRb
sZZ3n1kwX0LmXDDsYeCWncBvgKdooE4C7xnJfD5sunjBXcGvPPrPIZ1PhmSadm1D
JrjBEoYl1YonF6fD7SmBJGqsNmBe1M3hQEFmvbIeQMT8qVj9wLeI/AsA2631X5KS
wR/IQX8GuIyF5CINy+pKfYxtE0HBxNtDJ3gl4XMAYvwa/cECrhXI99If3WBrTVjh
LSSVXZTgjCDz+wWsagmJFV4wlGgLektA5DA7aw5qkUz9RxqFdQ2EuWXDZHpg3fsK
jS65yVbxVCKKN7nSdKj6W9edC5P7hW3nr1WStEckJ9FilJNWJI17v6ZqCcf/doqq
WPcWmXgGv1K3sAZQ+B84lliCTYcrQVQEXaeAxOAq25E1lXmMPcxX6qDq8yHNVtNM
+2f2F8QV4zLikcs=
=P0ee
-----END PGP SIGNATURE-----

--- End Message ---