Re: PokerTH orphaned
On Tue, Aug 2, 2011 at 12:32 PM, Ryan Rix r...@n.rix.si wrote: On Tue 2 August 2011 11:36:20 Hans de Goede wrote: Hi, On 08/01/2011 09:44 PM, Ryan Rix wrote: On Mon 1 August 2011 19:43:37 Tomas Mraz wrote: On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. Shipping a private copy of GnuTLS would have to get an exception I do not think such exception should/would be granted. I can only recommend you to look at the NSS OpenSSL compatibility support library and patching PokerTH to use it instead of the GnuTLS. I've talked to a few people about this now, including some folks at PokerTH about it, and they're confused as to why this change is happening in GnuTLS at all, and your comment in the bug report did not seem to explain it to them; could you (or anyone) explain better why OpenSSL support in gnutls is a Bad Thing? Ryan, have you read the initial description of: https://bugzilla.redhat.com/show_bug.cgi?id=460310 ? The problem is that gnutls's openssl compatibility uses the same symbol names as openssl itself thus polluting the dynamic linker symbol namespace. So if an application uses a library which is linked against openssl (for example ldap libs through pam) and uses gnutls-openssl then the ldap libraries will end up calling functions inside gnutls-openssl rather then inside openssl, since the gnutls-openssl symbols are already present in the dynamic linkers symbol namespace. This then goes boom big time, since the 2 are not ABI compatible. Since gnutls-openssl is not ABI compatible it should not be using the same function / variable names. Tomas has chosen to fix this problem by simply disabling the openssl compat part of gnutls (which as the above bug shows is broken by design) given that only 3 apps use this, this seems like a sane choice to me. The best way forward is probably to ask PokerTH upstream to add the standard openssl license exception boilerplate to their license, I did so successfully with gkrellm and switched to simply using the real openssl. Makes sense, thanks Hans. :) I actually talked to them, and they say that openssl is pulled in only for linking libcurl, and that PokerTH itself is using gcrypt for the Big Stuff, so it should be fairly easy to fix/work around. Had any luck with this, Ryan? (Asked the non-programmer guy who really likes using this package.) -- Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
Hi, On 08/01/2011 09:44 PM, Ryan Rix wrote: On Mon 1 August 2011 19:43:37 Tomas Mraz wrote: On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. Shipping a private copy of GnuTLS would have to get an exception I do not think such exception should/would be granted. I can only recommend you to look at the NSS OpenSSL compatibility support library and patching PokerTH to use it instead of the GnuTLS. I've talked to a few people about this now, including some folks at PokerTH about it, and they're confused as to why this change is happening in GnuTLS at all, and your comment in the bug report did not seem to explain it to them; could you (or anyone) explain better why OpenSSL support in gnutls is a Bad Thing? Ryan, have you read the initial description of: https://bugzilla.redhat.com/show_bug.cgi?id=460310 ? The problem is that gnutls's openssl compatibility uses the same symbol names as openssl itself thus polluting the dynamic linker symbol namespace. So if an application uses a library which is linked against openssl (for example ldap libs through pam) and uses gnutls-openssl then the ldap libraries will end up calling functions inside gnutls-openssl rather then inside openssl, since the gnutls-openssl symbols are already present in the dynamic linkers symbol namespace. This then goes boom big time, since the 2 are not ABI compatible. Since gnutls-openssl is not ABI compatible it should not be using the same function / variable names. Tomas has chosen to fix this problem by simply disabling the openssl compat part of gnutls (which as the above bug shows is broken by design) given that only 3 apps use this, this seems like a sane choice to me. The best way forward is probably to ask PokerTH upstream to add the standard openssl license exception boilerplate to their license, I did so successfully with gkrellm and switched to simply using the real openssl. Regards, Hans -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
HdG == Hans de Goede hdego...@redhat.com writes: HdG Hi,HHdG Tomas has chosen to fix this problem by simply disabling the HdG openssl compat part of gnutls (which as the above bug shows is HdG broken by design) given that only 3 apps use this, this seems like HdG a sane choice to me. Except, of course, it appears that someone completely forgot to contact the people who maintain those applications. That's not how it's supposed to work. Given that it's only three applications, that should have been pretty easy. The point is that it's not OK to think we're only screwing three maintainers; it's OK to do this without actually talking to them. My upstream (zoneminder) explicitly removed openssl support because of the licensing issues. It can still be made to work, but of course that violates their license and I can't imagine that at this point they're going to just change their license to allow us to ship the software. Of course I'll try, but in the meantime I certainly can't actually build the software in Fedora. - J -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
On Tue, 2011-08-02 at 07:51 -0500, Jason L Tibbitts III wrote: HdG == Hans de Goede hdego...@redhat.com writes: HdG Hi,HHdG Tomas has chosen to fix this problem by simply disabling the HdG openssl compat part of gnutls (which as the above bug shows is HdG broken by design) given that only 3 apps use this, this seems like HdG a sane choice to me. Except, of course, it appears that someone completely forgot to contact the people who maintain those applications. That's not how it's supposed to work. Given that it's only three applications, that should have been pretty easy. The point is that it's not OK to think we're only screwing three maintainers; it's OK to do this without actually talking to them. My upstream (zoneminder) explicitly removed openssl support because of the licensing issues. It can still be made to work, but of course that violates their license and I can't imagine that at this point they're going to just change their license to allow us to ship the software. Of course I'll try, but in the meantime I certainly can't actually build the software in Fedora. The problem is I tried repoquery against the rawhide repository before the disabling and either the repository was somehow broken or I made some mistake because the repoquery returned empty results. That's why I thought that there is no package depending on the libgnutls-openssl anymore and so I dropped it. But I really do not plan to add it back because upstream does not care about it and it seems to be left in the experimental state forever. I do not think any other software should depend on it for the SSL support. Either rewrite the SSL support to use the native GNUTLS API, or use the NSS OpenSSL compatibility layer which is written in such way that it does not conflict with the native OpenSSL libraries. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
On Tue 2 August 2011 11:36:20 Hans de Goede wrote: Hi, On 08/01/2011 09:44 PM, Ryan Rix wrote: On Mon 1 August 2011 19:43:37 Tomas Mraz wrote: On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. Shipping a private copy of GnuTLS would have to get an exception I do not think such exception should/would be granted. I can only recommend you to look at the NSS OpenSSL compatibility support library and patching PokerTH to use it instead of the GnuTLS. I've talked to a few people about this now, including some folks at PokerTH about it, and they're confused as to why this change is happening in GnuTLS at all, and your comment in the bug report did not seem to explain it to them; could you (or anyone) explain better why OpenSSL support in gnutls is a Bad Thing? Ryan, have you read the initial description of: https://bugzilla.redhat.com/show_bug.cgi?id=460310 ? The problem is that gnutls's openssl compatibility uses the same symbol names as openssl itself thus polluting the dynamic linker symbol namespace. So if an application uses a library which is linked against openssl (for example ldap libs through pam) and uses gnutls-openssl then the ldap libraries will end up calling functions inside gnutls-openssl rather then inside openssl, since the gnutls-openssl symbols are already present in the dynamic linkers symbol namespace. This then goes boom big time, since the 2 are not ABI compatible. Since gnutls-openssl is not ABI compatible it should not be using the same function / variable names. Tomas has chosen to fix this problem by simply disabling the openssl compat part of gnutls (which as the above bug shows is broken by design) given that only 3 apps use this, this seems like a sane choice to me. The best way forward is probably to ask PokerTH upstream to add the standard openssl license exception boilerplate to their license, I did so successfully with gkrellm and switched to simply using the real openssl. Makes sense, thanks Hans. :) I actually talked to them, and they say that openssl is pulled in only for linking libcurl, and that PokerTH itself is using gcrypt for the Big Stuff, so it should be fairly easy to fix/work around. r -- Ryan Rix -- http://rix.si == OpenSource.com: Where Open Source Happens! == _ \//_ All Hail the Beefy Miracle! /_/ \ \ signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
PokerTH orphaned
Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. -- Jussi Lehtola Fedora Project Contributor jussileht...@fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. r -- Ryan Rix -- http://rix.si == OpenSource.com: Where Open Source Happens! == _ \//_ All Hail the Beefy Miracle! /_/ \ \ signature.asc Description: This is a digitally signed message part. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. Shipping a private copy of GnuTLS would have to get an exception I do not think such exception should/would be granted. I can only recommend you to look at the NSS OpenSSL compatibility support library and patching PokerTH to use it instead of the GnuTLS. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: PokerTH orphaned
On Mon 1 August 2011 19:43:37 Tomas Mraz wrote: On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: Hi, I've just orphaned PokerTH, since I'm trying to free myself some time and I don't use it myself. PokerTH does not currently build on rawhide, since OpenSSL support has been dropped from GnuTLS a week ago (BZ #726697). Getting it to build again would then require building against OpenSSL (and asking upstream for a GPL license exception), or shipping a private copy of GnuTLS. I picked up rawhide through F-14. If I cant get this building, I'll orphan it again in a week's time. Shipping a private copy of GnuTLS would have to get an exception I do not think such exception should/would be granted. I can only recommend you to look at the NSS OpenSSL compatibility support library and patching PokerTH to use it instead of the GnuTLS. I've talked to a few people about this now, including some folks at PokerTH about it, and they're confused as to why this change is happening in GnuTLS at all, and your comment in the bug report did not seem to explain it to them; could you (or anyone) explain better why OpenSSL support in gnutls is a Bad Thing? r -- Ryan Rix -- http://rix.si == OpenSource.com: Where Open Source Happens! == _ \//_ All Hail the Beefy Miracle! /_/ \ \ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
