Bug#603470: [DebianGIS-dev] Bug#603470: libmapnik0.7: package linked against broken external AGG
On Sun, Nov 14, 2010 at 02:15:00PM +0100, Sven Geggus wrote: Package: libmapnik0.7 Severity: important The current Version of Mapnik in Debian (squeeze and sid) has been linked against the AGG library provided by the system. Looks like this library (2.5.x) is more or less unmaintained. For this reason mapnik provides a custom Version of the AGG library which fixes the bugs which causes mapnik to hang. The discussion about this topic can be found here: http://www.mail-archive.com/mapnik-us...@lists.berlios.de/msg02953.html I know that the debian policy is to always use external libraries, but this renders the provided package more or less unusable. Unfortunately I don't have patches for AGG to fix this without breaking the debian policy. First of all, the use of non-embedded libraries is not mandatory. Many programs have similar problems and we have to coexists with them, unfortunately. If a patch can be provided (upstream or not) to fix system-wide issues and is not, it is unfortunate, but it happens. That said, the AGG case is quite unfortunate, because AGG 2.5 is GPL2 and AGG 2.4 is MIT licensed. That implies that the whole mapnik should be considered GPL-2 released and that should be noted. This is also something bad, because it violates the original upstream will IMHO. Note also that the embedded copy is a 2.3 or 2.4 version, and we used the same approach for mapserver to avoid those kind of problems. Seriously someone should consider an AGG fork from 2.4 which is something maybe mapserver folks already did. My best guessing is moving to the embedded copy if resulting issues are grave enough to compromise its use. Maybe David can help about that. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603470: [DebianGIS-dev] Bug#603470: libmapnik0.7: package linked against broken external AGG
Francesco P. Lovergine schrieb am Montag, den 15. November um 11:19 Uhr: This is also something bad, because it violates the original upstream will IMHO. Yes it does because Mapnik is licenced under LGPL Note also that the embedded copy is a 2.3 or 2.4 version, and we used the same approach for mapserver to avoid those kind of problems. Its a patched version of 2.4 Seriously someone should consider an AGG fork from 2.4 which is something maybe mapserver folks already did. I posted an URL to the discussion of the problem. In there it has been mentioned, that they consider 2.5 dead anyway and that currently 2.4 development ist going on here: http://agg.svn.sourceforge.net/viewvc/agg/agg-2.4/ See http://www.mail-archive.com/mapnik-us...@lists.berlios.de/msg02970.html My best guessing is moving to the embedded copy if resulting issues are grave enough to compromise its use. There are occasional hangs of the rendering library resulting in 100% CPU usage. Sven -- I'm a bastard, and proud of it (Linus Torvalds, Wednesday Sep 6, 2000) /me is gig...@ircnet, http://sven.gegg.us/ on the Web -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603470: libmapnik0.7: package linked against broken external AGG
Hello Sven, On Mon, 15 Nov 2010 11:19:31 +0100, Francesco P. Lovergine wrote: On Sun, Nov 14, 2010 at 02:15:00PM +0100, Sven Geggus wrote: The current Version of Mapnik in Debian (squeeze and sid) has been linked against the AGG library provided by the system. Yes, this was intended by the previous maintainer, see #493786 . Looks like this library (2.5.x) is more or less unmaintained. For this reason mapnik provides a custom Version of the AGG library which fixes the bugs which causes mapnik to hang. The discussion about this topic can be found here: http://www.mail-archive.com/mapnik-us...@lists.berlios.de/msg02953.html I know that the debian policy is to always use external libraries, but this renders the provided package more or less unusable. [..] [..] That said, the AGG case is quite unfortunate, because AGG 2.5 is GPL2 and AGG 2.4 is MIT licensed. That implies that the whole mapnik should be considered GPL-2 released and that should be noted. This is also something bad, because it violates the original upstream will IMHO. Note also that the embedded copy is a 2.3 or 2.4 version, and we used the same approach for mapserver to avoid those kind of problems. It's a 2.3, at least from what agg/copying says. Seriously someone should consider an AGG fork from 2.4 which is something maybe mapserver folks already did. Francesco, do you know if such a fork has been officially announced, with proper releases and such? It might make sense to provide a separate package (but this is surely post-Squeeze) to link against. So that we don't need N copies of libagg spread around the archive. My best guessing is moving to the embedded copy if resulting issues are grave enough to compromise its use. I need to contact the security and release teams before. I'll reply ASAP. Kindly, David -- . ''`. Debian developer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://deb.li/dapal `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 signature.asc Description: PGP signature
Bug#603470: libmapnik0.7: package linked against broken external AGG
On Mon, Nov 15, 2010 at 03:45:01PM +0100, David Paleino wrote: It's a 2.3, at least from what agg/copying says. Seriously someone should consider an AGG fork from 2.4 which is something maybe mapserver folks already did. Francesco, do you know if such a fork has been officially announced, with proper releases and such? It might make sense to provide a separate package (but this is surely post-Squeeze) to link against. So that we don't need N copies of libagg spread around the archive. Current committers are simply working on the 2.4 tree, due to obvious license concerns. You can simply check https://agg.svn.sourceforge.net/svnroot/agg and consult the mailing list to check. Maxim has simply lost interest and current working happens onto a specific 2.4 branch. I wonder if maintaining 2.5 in Debian makes sense. Also notes that agg is essentially a template library, so distributing shlibs is a non-sense, because instances are defined by use. That's the reason to have a -dev package only. There's nothing like a 'system wide' library in proper sense. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603470: libmapnik0.7: package linked against broken external AGG
Dear Security and Release Teams, On Mon, 15 Nov 2010 12:07:56 +0100, Sven Geggus wrote: Francesco P. Lovergine schrieb am Montag, den 15. November um 11:19 Uhr: My best guessing is moving to the embedded copy if resulting issues are grave enough to compromise its use. There are occasional hangs of the rendering library resulting in 100% CPU usage. I'm writing to you because of #603470. The obvious solution is to link against the internal patched libagg, and this is what mapnik upstream is expecting us to do. The AGG+Mapnik case is unfortunate; the problem is twofold: upstream relicensed the code from MIT to GPL-2 from versions 2.4 → 2.5 (and Mapnik is LGPL, so we're basically restricting its usage when linking to the GPL library), and development of AGG has now stopped. It seems like there are some forks in the wild of the 2.4 branch (because of license concerns). Mapnik embeds a patched 2.3 version of AGG -- I'd like to know if: - security team: would it be acceptable to use the embedded copy? - release team: would such a change have a freeze exception granted? (attaching diff -- the only change is the drop of INTERNAL_LIBAGG=no, but I split it to make it easier to read in future) Thank you, David -- . ''`. Debian developer | http://wiki.debian.org/DavidPaleino : :' : Linuxer #334216 --|-- http://www.hanskalabs.net/ `. `'` GPG: 1392B174 | http://deb.li/dapal `- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174 diff --git a/debian/changelog b/debian/changelog index 119090b..019f990 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +mapnik (0.7.1-3) UNRELEASED; urgency=low + + * Compile using internal copy of libagg. (Closes: #603470) + + -- David Paleino da...@debian.org Mon, 15 Nov 2010 16:05:05 +0100 + mapnik (0.7.1-2) unstable; urgency=low * debian/patches/03-fix_ImportError_mips.patch added, fixes diff --git a/debian/control b/debian/control index 678646c..dcd8651 100644 --- a/debian/control +++ b/debian/control @@ -26,7 +26,6 @@ Build-Depends: libfribidi-dev, libgdal1-dev, libxml2-dev, - libagg-dev, libicu-dev, libcairo2-dev, libcairomm-1.0-dev, diff --git a/debian/rules b/debian/rules index a19bd94..067d3c2 100755 --- a/debian/rules +++ b/debian/rules @@ -5,7 +5,12 @@ #export DH_VERBOSE=1 # scons flags -SCONS_FLAGS=INPUT_PLUGINS=raster,sqlite,postgis,ogr,shape,osm,gdal,kismet PROJ_INCLUDES=/usr/include PROJ_LIBS=/usr/lib INTERNAL_LIBAGG=no SYSTEM_FONTS=/usr/share/fonts/truetype/ttf-dejavu XMLPARSER=libxml2 DESTDIR=$(CURDIR)/debian/tmp PREFIX=/usr LIB_DIR_NAME=/mapnik/0.7 +SCONS_FLAGS := INPUT_PLUGINS=raster,sqlite,postgis,ogr,shape,osm,gdal,kismet +SCONS_FLAGS += PROJ_INCLUDES=/usr/include PROJ_LIBS=/usr/lib +SCONS_FLAGS += SYSTEM_FONTS=/usr/share/fonts/truetype/ttf-dejavu +SCONS_FLAGS += XMLPARSER=libxml2 +SCONS_FLAGS += DESTDIR=$(CURDIR)/debian/tmp +SCONS_FLAGS += PREFIX=/usr LIB_DIR_NAME=/mapnik/0.7 CFLAGS = -Wall -g signature.asc Description: PGP signature
Bug#603470: libmapnik0.7: package linked against broken external AGG
On Mon, Nov 15, 2010 at 06:44:11PM +0100, David Paleino wrote: - security team: would it be acceptable to use the embedded copy? Note also that AGG even is a template package for C++, so basically it is not something that one would consider a shlib. It should be considered as embedded by default in any case. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#603470: libmapnik0.7: package linked against broken external AGG
Package: libmapnik0.7 Severity: important The current Version of Mapnik in Debian (squeeze and sid) has been linked against the AGG library provided by the system. Looks like this library (2.5.x) is more or less unmaintained. For this reason mapnik provides a custom Version of the AGG library which fixes the bugs which causes mapnik to hang. The discussion about this topic can be found here: http://www.mail-archive.com/mapnik-us...@lists.berlios.de/msg02953.html I know that the debian policy is to always use external libraries, but this renders the provided package more or less unusable. Unfortunately I don't have patches for AGG to fix this without breaking the debian policy. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35.4-robert-you-suck+ (SMP w/4 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org