Your message dated Tue, 20 Oct 2020 01:58:39 +0200
with message-id <[email protected]>
and subject line Re: Bug#924937: OpenSSL license contamination of GPL
reverse-dependencies
has caused the Debian Bug report #924937,
regarding libpq5: OpenSSL license contamination of GPL reverse-dependencies
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
924937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924937
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpq5
Version: 11.2-2
Severity: serious
Affects: bandwidthd-pgsql dballe inspircd libnss-pgsql2 libodb-pgsql-2.4 pmacct
r-cran-rpostgresql saga sphinxsearch tora ulogd2-pgsql yubikey-server-c
Justification: renders many Debian packages undistributable
Hello,
It's come to my attention that in buster and unstable, packages which
build-depend on libpq-dev wind up linked against libpq5, which in turn
links against OpenSSL (libssl1.1).
This includes software which is licensed under the GPL and uses the
PostgreSQL APIs.
It is well understood that the OpenSSL license is not "compatible" with
the GPL (either version 2 or 3); and furthermore, Debian has long taken
the position that, unless a license exception is granted by the
copyright holders, a package which is distributed under the GPL must
only link to libraries whose licenses are also GPL-compatible in order
for it to be included in Debian.
I am opening this as a serious bug, since I believe this makes a large
and indeterminate number of packages non-distributable in buster.
See also bug 921488 which was the same situation but with MariaDB.
Based on a quick glance through the debian/copyright files of reverse
dependencies, I found the following packages that appear to generally be
licensed GPL-2 (only) for example and list no OpenSSL linking exception.
If I've accurately understood which licence applies in these cases, this
situation certainly cannot be resolved even with the upcoming OpenSSL
upstream relicense to Apache-2.0. Note that this is an indicative
non-exhaustive list only, based on some approximations and only sampling
to check accuracy; I haven't verified each one in detail.
bandwidthd-pgsql
dballe
inspircd
libnss-pgsql2
libodb-pgsql-2.4
pmacct
r-cran-rpostgresql
saga
sphinxsearch
tora
ulogd2-pgsql
yubikey-server-c
There are many more reverse dependencies licensed with GPL-2+, GPL-3,
etc, which suffer this redistributability until the relicensed OpenSSL
arrives in Debian.
Thanks,
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On Tue, 20 Oct 2020 01:16:07 +0200 Bastian Germann
<[email protected]> wrote:
> OpenSSL, cups, and libgcc are considered system libraries now:
> http://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html.
> I guess this issue can be closed.
Right, doing so.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
