Bug#658326: [pkg-bacula-devel] Bug#658326: marked as done (bacula: sha implimentation is non-free)
On Sat, 16 Jun 2012, 06:38:32 EST, Luca Capello l...@pca.it wrote: posting mobile, hopefully i didnt trim anything vital out. On Fri, 15 Jun 2012 14:06:52 +0200, Karl Goetz wrote: On Wed, 02 May 2012 15:16:36 +0200 Luca Capello l...@pca.it wrote: fixed in squeeze-proposed-updates with the packages at: = Just to be clear about upstream reply: http://bugs.bacula.org/view.php?id=1869#c6325 kern (administrator) 2012-05-24 07:25 This means that Debian (and any derivative who wants to be DFSG-free) should carry the modification. Thanks for your extensive reply. Kk
Bug#658326: [pkg-bacula-devel] Bug#658326: marked as done (bacula: sha implimentation is non-free)
On Wed, 02 May 2012 15:16:36 +0200 Luca Capello l...@pca.it wrote: Sorry I missed this entire discussion; I forgot about the bug entirely until I saw the close email :/ Hi there! On Mon, 30 Apr 2012 11:21:51 +0200, Debian Bug Tracking System wrote: Your message dated Mon, 30 Apr 2012 09:17:34 + with message-id e1somje-0005ra...@franck.debian.org and subject line Bug#658326: fixed in bacula 5.0.3+dfsg-0.1 has caused the Debian Bug report #658326, regarding bacula: sha implimentation is non-free to be marked as done. 2) Have you seen that Karl (the original submitter) specifically talked about stable and oldstable? The problem should be fixed there as well, but the first question above must be addressed first. Karl, given that the latest upstream sources still contain the incriminated files, have you already brought this problem up to the upstream authors? http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.c http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.h As you noted later (by filing a bug of your own) I had not done this - apologies. Subject: Re: [pkg-bacula-devel] Bug#658326: patch for switch to openssl SHA1 implementation On Thu, 17 May 2012 18:05:49 +0200, Luca Capello wrote: On Mon, 14 May 2012 22:43:12 +0200, Alexander Golovko wrote: Ok, i add it into master branch http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commitdiff;h=6c562cfdaffd730c796518233f0d97da08a3891b I am going to upload a fixed package this weekend. Upstream sources re-packaged: http://anonscm.debian.org/gitweb/?p=pkg-bacula/bacula.git;a=commit;h=47fbab2da0062f2d4df087496220d969dd755d7b Thx, bye, Gismo / Luca Thanks everyone for your work on this, sorry I didn't take part in the discussion last month. thanks, kk -- Karl Goetz, (Kamping_Kaiser / VK7FOSS) http://www.kgoetz.id.au No, I won't join your social networking group *** I've changed GPG key to 6C097260 *** signature.asc Description: PGP signature
Bug#658326: [pkg-bacula-devel] Bug#658326: marked as done (bacula: sha implimentation is non-free)
found 658326 5.0.2-2.2 tags 658326 + squeeze found 658326 5.0.3-1 tags 658326 + sid thanks Hi there! On Fri, 15 Jun 2012 14:06:52 +0200, Karl Goetz wrote: On Wed, 02 May 2012 15:16:36 +0200 Luca Capello l...@pca.it wrote: Sorry I missed this entire discussion; I forgot about the bug entirely until I saw the close email :/ No problem and actually thank you for the email, I just realized that I forgot to fix it in stable, so Version:/Tags: added to the BTS and bug fixed in squeeze-proposed-updates with the packages at: = $ sudo cat /etc/apt/sources.list.d/people.debian.org_gismo.list # http://upsilon.cc/~zack/blog/posts/2009/04/howto:_uploading_to_people.d.o_using_dput/ deb http://people.debian.org/~gismo/debian gismo-squeeze-proposed-updates/ deb-src http://people.debian.org/~gismo/debian gismo-squeeze-proposed-updates/ $ sudo wget -O /etc/apt/trusted.gpg.d/luca.pca.it-keyring.gpg \ http://people.debian.org/~gismo/debian/luca.pca.it-keyring.gpg $ sudo apt-get -t gismo-squeeze-proposed-updates $DEB = I am testing the above packages on my squeeze boxes, but any more testing is appreciated. 2) Have you seen that Karl (the original submitter) specifically talked about stable and oldstable? The problem should be fixed there as well, but the first question above must be addressed first. Karl, given that the latest upstream sources still contain the incriminated files, have you already brought this problem up to the upstream authors? http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.c http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.h As you noted later (by filing a bug of your own) I had not done this - apologies. No need to apologize :-) Just to be clear about upstream reply: http://bugs.bacula.org/view.php?id=1869#c6325 kern (administrator) 2012-05-24 07:25 I am closing this bug report because it proposes making a change that is not necessary, and makes Bacula less free. My reasons are: 1. This change doesn't make sense, because in the context of the code the reference to this document means the license, and it is quite standard to make the license text non-changable. It is clear from the wording of the license that it is not restrictive. 2. This code does not contain an RFC. It contains an open and free implementation of an RFC. 3. Implementing the proposed fix, in fact, adds an additional dependency on OpenSSL to build the base part of Bacula, which is not present in the current code. This is unacceptable to me. 4. By requiring OpenSSL, you are making Bacula less free and also more incompatible with the GPL (even if I have made an exception for it). 5. Bacula is unavailable from Source Forge for a good number of people in the world, because it has the possibility of using encryption software. Your patch makes it require encryption software, unless I misunderstand the proposed patch. We do not intend to change our code unless we hear from the Internet Society that we are somehow infringing on their license, which seems to me highly improbable. You are, of course, free to under our current license to make the changes you propose. This means that Debian (and any derivative who wants to be DFSG-free) should carry the modification. Thx, bye, Gismo / Luca pgpyvLEHY5J7H.pgp Description: PGP signature
Bug#658326: [pkg-bacula-devel] Bug#658326: marked as done (bacula: sha implimentation is non-free)
tags 658326 + upstream notfixed 658326 5.0.3+dfsg-0.1 thanks Hi there! On Mon, 30 Apr 2012 11:21:51 +0200, Debian Bug Tracking System wrote: Your message dated Mon, 30 Apr 2012 09:17:34 + with message-id e1somje-0005ra...@franck.debian.org and subject line Bug#658326: fixed in bacula 5.0.3+dfsg-0.1 has caused the Debian Bug report #658326, regarding bacula: sha implimentation is non-free to be marked as done. [...] Changes: bacula (5.0.3+dfsg-0.1) unstable; urgency=low . * Non-maintainer upload. * Remove non-free SHA implementation (Closes: #658326). * debian/control: add libncurses5-dev into Build-Depends Thank you for the NMU, but this is NOT the proper way, please read: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#nmu Specifically: § 5.11.1. When and how to do an NMU Before doing an NMU, consider the following questions: [...] * How confident are you about your changes? Please remember the Hippocratic Oath: Above all, do no harm. It is better to leave a package with an open grave bug than applying a non-functional patch, or one that hides the bug instead of resolving it. If you are not 100% sure of what you did, it might be a good idea to seek advice from others. Remember that if you break something in your NMU, many people will be very unhappy about it. 1) Have you checked what are the implication of removing the non-free SHA1 implementation? I imagine that all the installations that have 'signature=SHA1' in their FileSet resources are now broken, which is not acceptable without any warning *before* installation via NEWS.Debian, so administrators can act accordingly. This is why I marked this bug as notfixed. 2) Have you seen that Karl (the original submitter) specifically talked about stable and oldstable? The problem should be fixed there as well, but the first question above must be addressed first. Karl, given that the latest upstream sources still contain the incriminated files, have you already brought this problem up to the upstream authors? http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.c http://www.bacula.org/git/cgit.cgi/bacula/tree/bacula/src/lib/sha1.h Going on with the NMU policies: * Have you clearly expressed your intention to NMU, at least in the BTS? It is also a good idea to try to contact the maintainer by other means (private email, IRC). When doing an NMU, you must first make sure that your intention to NMU is clear. Then, you must send a patch with the differences between the current package and your proposed NMU to the BTS. The nmudiff script in the devscripts package might be helpful. Sometimes, release managers decide to allow NMUs with shorter delays for a subset of bugs (e.g release-critical bugs older than 7 days). Also, some maintainers list themselves in the Low Threshold NMU list, and accept that NMUs are uploaded without delay. But even in those cases, it's still a good idea to give the maintainer a few days to react before you upload, especially if the patch wasn't available in the BTS before, or if you know that the maintainer is generally active. You have not contacted the pkg-bacula-devel@ mailing list neither sent anything to the BTS. Please note that I am not saying that I (as one of the bacula maintainers) am active (actually, it is more the contrary). Moreover, your NMU does not *only* include the fix for #658326, but also the one for #646730, without any notice neither taking into account the submitter proposal (patching the upstream build system). Thx, bye, Gismo / Luca pgp0f6ZTGUHRU.pgp Description: PGP signature