Re: configure.in is missing but...

2017-11-24 Thread Paul Wise 
On Fri, Nov 24, 2017 at 9:33 PM, Ian Jackson wrote:

> Can't you find a copy of the configure.ac somewhere ?  If not, you may
> be able to reconstruct one.  Skimreading the configure script suggests
> that wouldn't be too hard.

It looks like the jpeg-6b-steg is a modified embedded code copy of
libjpeg6b. outguess upstream really should send their patches in
jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect
that outguess is probably vulnerable to the various libjpeg CVEs that
have been released over the years.

Looking at the unmodified source code, libjpeg upstream didn't release
their configure.ac file until libjpeg7:

http://ijg.org/files/jpegsrc.v6b.tar.gz
http://ijg.org/files/jpegsrc.v7.tar.gz

So I think what needs to happen here is that outguess needs a proper
upstream project to exist and be active, remove the embedded code copy
and port the diff to a newer libjpeg and upstream that and then get
that uploaded to Debian.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: French gov open license

2017-11-24 Thread Ben Finney 
Ian Jackson  writes:

> Ben Finney writes ("Re: French gov open license"):
> > More precisely, “pass DFSG” is not something we can ask of licenses.
> > Rather, the DFSG are for evaluating a *work* proposed for entry to
> > Debian.
> > […]
>
> I think this is rather disingenuous. […]

You've presented an example supporting my position:

> I have read the licence PDF and it is a reasonable licence for open
> data. But if used together with some program, it would need to be
> analysed for compatibility with that program's licence.

Yes. So, examining the license is not sufficient to say that a work is
DFSG-free; the work itself, along with license grant and the full
license text, are needed. Without those, “is it DFSG-free?” can't be
answered.

> But that doesn't mean that rejection for wrongnesses in the licence
> itself don't occur.  There are plenty of examples.  It can make sense
> to look at the licence and say "if the whole work was under this
> licence, and there were no other problems, it would be OK".

That's a pretty big “if”, as attested by many discussions over the
years in this forum :-)

I think we agree; I'm not sure why you think it's disingenuous, but I'm
attempting to avoid the common situation where we are asked to judge a
license text divorced from the work and without seeing the grant of
license. Those are crucially important — as is, of course, the license
text itself.

-- 
 \ “Skepticism is the highest duty and blind faith the one |
  `\   unpardonable sin.” —Thomas Henry Huxley, _Essays on |
_o__)   Controversial Questions_, 1889 |
Ben Finney

Re: configure.in is missing but...

2017-11-24 Thread Ian Jackson 
Eriberto Mota writes ("configure.in is missing but..."):
> In #882538, Helmut pointed that outguess[1] has a configure file[2]
> generated by a missing configure.in. He considers that configure, an
> interpreted script (shell), has no source code because the following
> lines:
...
> I still have doubts about if this situation is a DFSG violation and I
> need more opinions.

Pabs and Helmut are right.

Can't you find a copy of the configure.ac somewhere ?  If not, you may
be able to reconstruct one.  Skimreading the configure script suggests
that wouldn't be too hard.

Ian.

-- 
Ian Jackson    These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

configure.in is missing but...

2017-11-24 Thread Eriberto Mota 
Hi,

In #882538, Helmut pointed that outguess[1] has a configure file[2]
generated by a missing configure.in. He considers that configure, an
interpreted script (shell), has no source code because the following
lines:

# Generated automatically using autoconf version 2.12
[...]
# Any additions from configure.in:
[...]

The script also has a notice:

# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.

IMHO, the configure script can't be regenerated from a configure.ac or
configure.in but it can be modified to work if it is necessary. It is
similar to traditional configure file, made by hand. I don't see a
real problem here. However, Pabs agrees with Helmut here[3].

I still have doubts about if this situation is a DFSG violation and I
need more opinions.

Thanks a lot in advance.

Regards,

Eriberto

[1] https://tracker.debian.org/pkg/outguess
[2] https://sources.debian.net/src/outguess/1:0.2-8/jpeg-6b-steg/configure/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882538#20