Bug#979100: Legally problematic GPL-3+ readline dependency
On Sat, 9 Oct 2021 16:04:33 -0600 Ross Vandegrift wrote: Upstream relicensed the client source to GPL v2 or later in 27e37a50 specifically to address this issue [1]. That change was released in 1.10, but d/copyright does not reflect it. I've opened an MR with the fix at [2], but need a sponsor to upload since I'm DN. Since the uploader and maintainer have been inactive for some years, and since this bug has had no reply since January, I'll open a sponsorship request bug today. [1] - https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=27e37a50f35cc54c266cbd37e32dadbf3016e5e8 [2] - https://salsa.debian.org/debian/connman/-/merge_requests/6 Thank you for pointing that out. I take this as RFS and can sponsor it as-is.
Bug#979100: Legally problematic GPL-3+ readline dependency
Control: tags -1 pending Hello, On Sat, 2 Jan 2021 18:47:07 +0100 Bastian Germann wrote: > This package depends on libreadline8 which is GPL-3+ licensed. According > to debian/copyright parts of your package are GPL-2-only licensed. If > that is also (transitively) the case for the binaries that link with > libreadline.so.8 it might be legally problematic (see > https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). Since enlightenment Build-Depends on connman, I took a look. I think this isn't actually a problem. According to the docs, readline is only used in the cli client. I confirmed in a fresh sid container: # dpkg -l connman* Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=-===--=== ii connman 1.36-2.2amd64Intel Connection Manager daemon ii connman-dev:amd64 1.36-2.2amd64Development files for connman ii connman-doc 1.36-2.2all ConnMan documentation ii connman-vpn 1.36-2.2amd64Intel Connection Manager daemon - VPN daemon root@b7aa1f65ab2d:/# for i in $(dpkg -l connman* | grep connman | awk '{print $2}'); do dpkg -L $i | xargs ldd 2> /dev/null | grep -E '(^/)|libreadline'; done | grep -B 1 readline /usr/bin/connmanctl: libreadline.so.8 => /lib/x86_64-linux-gnu/libreadline.so.8 (0x7f3b73d8b000) Upstream relicensed the client source to GPL v2 or later in 27e37a50 specifically to address this issue [1]. That change was released in 1.10, but d/copyright does not reflect it. I've opened an MR with the fix at [2], but need a sponsor to upload since I'm DN. Since the uploader and maintainer have been inactive for some years, and since this bug has had no reply since January, I'll open a sponsorship request bug today. [1] - https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=27e37a50f35cc54c266cbd37e32dadbf3016e5e8 [2] - https://salsa.debian.org/debian/connman/-/merge_requests/6 Ross
Bug#979100: Legally problematic GPL-3+ readline dependency
Severity: serious On Sat, 2 Jan 2021 18:47:07 +0100 Bastian Germann wrote: This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement. This is a Policy violation, so I raise the severity.
Bug#979100: Legally problematic GPL-3+ readline dependency
Package: connman Severity: important This package depends on libreadline8 which is GPL-3+ licensed. According to debian/copyright parts of your package are GPL-2-only licensed. If that is also (transitively) the case for the binaries that link with libreadline.so.8 it might be legally problematic (see https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility). There is an easy solution to the problem: Replacing the build dependency libreadline-dev with libreadline-gplv2-dev links with the GPL-2+ licensed older version. However, that is orphaned in Debian, so libeditreadline-dev should be preferred, which does not compile with your package without any patch. It links with the BSD-licensed libedit library which is a readline replacement.