Bug#979100: Legally problematic GPL-3+ readline dependency
On Sat, 9 Oct 2021 16:04:33 -0600 Ross Vandegrift wrote: Upstream relicensed the client source to GPL v2 or later in 27e37a50 specifically to address this issue [1]. That change was released in 1.10, but d/copyright does not reflect it. I've opened an MR with the fix at [2], but need a sponsor to upload since I'm DN. Since the uploader and maintainer have been inactive for some years, and since this bug has had no reply since January, I'll open a sponsorship request bug today. [1] - https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=27e37a50f35cc54c266cbd37e32dadbf3016e5e8 [2] - https://salsa.debian.org/debian/connman/-/merge_requests/6 Thank you for pointing that out. I take this as RFS and can sponsor it as-is.
Bug#979100: Legally problematic GPL-3+ readline dependency
Control: tags -1 pending
Hello,
On Sat, 2 Jan 2021 18:47:07 +0100 Bastian Germann wrote:
> This package depends on libreadline8 which is GPL-3+ licensed. According
> to debian/copyright parts of your package are GPL-2-only licensed. If
> that is also (transitively) the case for the binaries that link with
> libreadline.so.8 it might be legally problematic (see
> https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility).
Since enlightenment Build-Depends on connman, I took a look. I think this
isn't actually a problem.
According to the docs, readline is only used in the cli client. I confirmed in
a fresh sid container:
# dpkg -l connman*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=-===--===
ii connman 1.36-2.2amd64Intel
Connection Manager daemon
ii connman-dev:amd64 1.36-2.2amd64Development
files for connman
ii connman-doc 1.36-2.2all ConnMan
documentation
ii connman-vpn 1.36-2.2amd64Intel
Connection Manager daemon - VPN daemon
root@b7aa1f65ab2d:/# for i in $(dpkg -l connman* | grep connman | awk '{print
$2}'); do dpkg -L $i | xargs ldd 2> /dev/null | grep -E '(^/)|libreadline';
done | grep -B 1 readline
/usr/bin/connmanctl:
libreadline.so.8 => /lib/x86_64-linux-gnu/libreadline.so.8
(0x7f3b73d8b000)
Upstream relicensed the client source to GPL v2 or later in 27e37a50
specifically to address this issue [1]. That change was released in 1.10, but
d/copyright does not reflect it.
I've opened an MR with the fix at [2], but need a sponsor to upload since I'm
DN. Since the uploader and maintainer have been inactive for some years, and
since this bug has had no reply since January, I'll open a sponsorship request
bug today.
[1] -
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=27e37a50f35cc54c266cbd37e32dadbf3016e5e8
[2] - https://salsa.debian.org/debian/connman/-/merge_requests/6
Ross
Bug#979100: Legally problematic GPL-3+ readline dependency
Severity: serious On Sat, 2 Jan 2021 18:47:07 +0100 Bastian Germann wrote: This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement. This is a Policy violation, so I raise the severity.
Bug#979100: Legally problematic GPL-3+ readline dependency
Package: connman Severity: important This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement.
