Source: golang-github-vmware-photon-controller-go-sdk Version: 0.0~PROMOTED-339-1.1 Tags: upstream Severity: serious Justification: infringement of GNU GPL attribution and source availability requirements X-Debbugs-Cc: [email protected]
Hello, For an unrelated purpose I was looking for packages shipping files ending in '.iso' and this package came up on my radar. The golang-github-vmware-photon-controller-go-sdk-dev installs these files on all architectures: /usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/ttylinux-pc_i486-16.1.iso /usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova These files really do contain an entire virtual machine, as I'll show, with the Linux kernel, BusyBox, the GNU C Library (real glibc, not Newlib, which is both uncommon in this use case and makes the licensing implications more serious), Dropbear, and more. These virtual machine images are present already in the source package. It is hard to verify authenticity due to bitrot, but it appears this is what's being referred to: https://www.minimalinux.org/ttylinux/downloadPC.html https://html-preview.github.io/?url=https://github.com/mkienenb/ttylinux/blob/master/dloadPC-i486.html The VMware-ish file conventions are something I'm working on wrapping my head around, so do note that the '*.iso' file is mainly metadata and the '*.ova' is where the concerns really lie. $ bsdcat ttylinux-pc_i486-16.1.iso | tr -cd '[[:print:]]' | tr -s '[[:space:]]' CD001LINUX CDROM "s0 GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM 2015032517314800201503251731480000000000000000002015032517314800 CD001"s0"s00s0SETTINGS.JSN;1{"vm_network_netmask":"255.255.254.0","vm_domain":"eng.vmware.com","vm_network_ip":"10.146.34.113","vm_network_nameservers":"10.142.7.1","vm_network_gateway":"10.146.35.253"} It looks like this probably wasn't supposed to be shared outside VM corporate seeing as those are statically-configured network details. Personally I was concerned about this file not being what it claimed, so I found the following helpful for a more forensic analysis: $ pax -r -f /usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova -s '/^.*$/tty_tiny.vmdk/' '*.vmdk*' \ && qemu-img convert -f vmdk -O raw tty_tiny.vmdk tty_tiny.img A lot of tools don't like the compressed VMware format it seems, so this conversion makes all else easier. You can identify the software within with $ tr -c -d '[[:print:]]' < tty_tiny.img and it also seems to boot at least part of the way using qemu-system-i386 using BusyBox for the system startup. So there are a few reasons why it's prima facie that this is seriously wrong even though I don't have detailed knowledge of the package: • The hard-coded network credentials could be construed as "phoning home" and was spooky • There is a lot of software in the images that is under the GNU GPL and needs to have source available, but much of the software (including ttylinux itself) is so old that this would actually be pretty hard to backtrack on. • It's not apparent how this could be used for any sort of testing even if one wanted to. Also, pardon my French, but I don't think there are any runtime reverse dependencies or build-time reverse dependencies on this binary package, the only one for this source package. Likewise the ITP #855680 doesn't actually describe why the software belongs in Debian or what anyone would want it for, so I'm scratching my head. Does anyone know why this package exists?
signature.asc
Description: This is a digitally signed message part
smime.p7s
Description: S/MIME cryptographic signature
