Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
Am 20.01.2010 19:25, schrieb Frank Lahm: I kindly suggest you compare --with-openssl-dir against --with-ssl-dir char by char. Sorry, you are right, my fault. I just couldn't see what you wanted to tell us in your last mail. ;) Fabian -- Dipl.-Phys. Fabian Greffrath Ruhr-Universität Bochum Lehrstuhl für Energieanlagen und Energieprozesstechnik (LEAT) Universitätsstr. 150, IB 3/134 D-44780 Bochum Telefon: +49 (0)234 / 32-26334 Fax: +49 (0)234 / 32-14227 E-Mail: greffr...@leat.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
Am 20.01.2010 18:21, schrieb Jonas Smedegaard: Changing to --without-ssl-dir (i.e. s/openssl/ssl/ works, however. Confirmed to work with --with-ssl-dir=no. - Fabian -- Dipl.-Phys. Fabian Greffrath Ruhr-Universität Bochum Lehrstuhl für Energieanlagen und Energieprozesstechnik (LEAT) Universitätsstr. 150, IB 3/134 D-44780 Bochum Telefon: +49 (0)234 / 32-26334 Fax: +49 (0)234 / 32-14227 E-Mail: greffr...@leat.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
As an additional security measure maybe a check like the one attached could be added to debian/rules (roughly taken from the vlc package to make sure no plugin in the vlc-nox package is linked against libX11). - Fabian --- netatalk-2.0.5.orig/debian/rules +++ netatalk-2.0.5/debian/rules @@ -99,6 +99,10 @@ # Refuse GPL build with openssl build-dependencies included post-patches:: $(if $(findstring openssl,$(DEB_BUILD_OPTIONS)),,$(if $(shell egrep -i '^Build-Depends.*$(openssl_build_depends)' debian/control),$(error OpenSSL build-dependencies found in GPL build!))) + +# Check that we do not install anything linked with libssl in a GPl build +binary-post-install/netatalk:: + $(if $(findstring openssl,$(DEB_BUILD_OPTIONS)),,$(if $(shell objdump -x debian/netatalk/usr/lib/netatalk/* 2 /dev/null | sed -n '/NEEDED \+libssl\.so/p'),$(error OpenSSL dependencies found in GPL build!))) # Re-install initscript with debhelper to add pre- and postinst routines install/netatalk::
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
On Thu, Jan 21, 2010 at 10:59:49AM +0100, Fabian Greffrath wrote: As an additional security measure maybe a check like the one attached could be added to debian/rules (roughly taken from the vlc package to make sure no plugin in the vlc-nox package is linked against libX11). Excellent suggestion. Thanks! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
Package: netatalk Version: 2.0.5-2 Severity: important Holger Levsen: how about the compromise and doing both, except that for (1) we file the bugs with severity important? Hi Jonas, as recently pointed out on debian-devel [1], the netatalk package is accidently linked against libssl on some arches due to dirty buildd chroots. To avoid this license violation, explicit Build-Conflicts against libssl-dev should be added and only be removed if $DEB_BUILD_OPTIONS contains openssl. Cheers, Fabian [1] http://lists.debian.org/debian-devel/2010/01/msg00354.html -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (550, 'unstable'), (400, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
On Wed, Jan 20, 2010 at 10:25:01AM +0100, Jonas Smedegaard wrote: On Wed, Jan 20, 2010 at 09:55:35AM +0100, Fabian Greffrath wrote: as recently pointed out on debian-devel [1], the netatalk package is accidently linked against libssl on some arches due to dirty buildd chroots. To avoid this license violation, explicit Build-Conflicts against libssl-dev should be added and only be removed if $DEB_BUILD_OPTIONS contains openssl. ...or netatalk build routines tightened to not link against openssl even if available, I assume. The latter is definitely preferred since DEB_BUILD_OPTIONS can't change the value of Build-Conflicts... Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
On Wed, Jan 20, 2010 at 09:55:35AM +0100, Fabian Greffrath wrote: as recently pointed out on debian-devel [1], the netatalk package is accidently linked against libssl on some arches due to dirty buildd chroots. To avoid this license violation, explicit Build-Conflicts against libssl-dev should be added and only be removed if $DEB_BUILD_OPTIONS contains openssl. ...or netatalk build routines tightened to not link against openssl even if available, I assume. Thanks for pointing this out. I'll deal with it! - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
On Wed, Jan 20, 2010 at 01:28:49AM -0800, Steve Langasek wrote: On Wed, Jan 20, 2010 at 10:25:01AM +0100, Jonas Smedegaard wrote: On Wed, Jan 20, 2010 at 09:55:35AM +0100, Fabian Greffrath wrote: as recently pointed out on debian-devel [1], the netatalk package is accidently linked against libssl on some arches due to dirty buildd chroots. To avoid this license violation, explicit Build-Conflicts against libssl-dev should be added and only be removed if $DEB_BUILD_OPTIONS contains openssl. ...or netatalk build routines tightened to not link against openssl even if available, I assume. The latter is definitely preferred since DEB_BUILD_OPTIONS can't change the value of Build-Conflicts... True. Other (more complex) mechanisms like using a debian/control.in.in file is possible, however. Unfortunately I already set --without-openssl-dir which apparently had no effect. I will try setting --with-openssl-dir=/dev/null :-/ - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
tags 565969 pending thanks On Wed, Jan 20, 2010 at 11:15:23AM +0100, Jonas Smedegaard wrote: On Wed, Jan 20, 2010 at 01:28:49AM -0800, Steve Langasek wrote: On Wed, Jan 20, 2010 at 10:25:01AM +0100, Jonas Smedegaard wrote: On Wed, Jan 20, 2010 at 09:55:35AM +0100, Fabian Greffrath wrote: as recently pointed out on debian-devel [1], the netatalk package is accidently linked against libssl on some arches due to dirty buildd chroots. To avoid this license violation, explicit Build-Conflicts against libssl-dev should be added and only be removed if $DEB_BUILD_OPTIONS contains openssl. ...or netatalk build routines tightened to not link against openssl even if available, I assume. The latter is definitely preferred since DEB_BUILD_OPTIONS can't change the value of Build-Conflicts... True. Other (more complex) mechanisms like using a debian/control.in.in file is possible, however. Unfortunately I already set --without-openssl-dir which apparently had no effect. I will try setting --with-openssl-dir=/dev/null :-/ Ahh, problem isolated: The proper option to use is --with-openssl-dir=no - so the convenient DEB_BUILD_OPTIONS=openssl will be preserved :-) - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
Ahh, problem isolated: The proper option to use is --with-openssl-dir=no - so the convenient DEB_BUILD_OPTIONS=openssl will be preserved :-) Sure?! # ./configure --with-openssl-dir=no|grep -i ssl checking for SSL... /usr (enabling RANDNUM and DHX support) SSL: CFLAGS = -I/usr/include/openssl -- Dipl.-Phys. Fabian Greffrath Ruhr-Universität Bochum Lehrstuhl für Energieanlagen und Energieprozesstechnik (LEAT) Universitätsstr. 150, IB 3/134 D-44780 Bochum Telefon: +49 (0)234 / 32-26334 Fax: +49 (0)234 / 32-14227 E-Mail: greffr...@leat.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
2010/1/20 Fabian Greffrath greffr...@leat.rub.de: Ahh, problem isolated: The proper option to use is --with-openssl-dir=no - so the convenient DEB_BUILD_OPTIONS=openssl will be preserved :-) Sure?! # ./configure --with-openssl-dir=no|grep -i ssl checking for SSL... /usr (enabling RANDNUM and DHX support) SSL: CFLAGS = -I/usr/include/openssl ./configure --help | grep ssl --with-ssl-dir=PATH specify path to OpenSSL installation (must contain -Frank -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
On Wed, Jan 20, 2010 at 04:15:26PM +0100, Fabian Greffrath wrote: Ahh, problem isolated: The proper option to use is --with-openssl-dir=no - so the convenient DEB_BUILD_OPTIONS=openssl will be preserved :-) Sure?! Nope. I went offline (train ride to Copenhagen an hour from my home) where I realized that this wasn' the proper fix. Changing to --without-ssl-dir (i.e. s/openssl/ssl/ works, however. Thanks for double-checking :-) - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
Am 20.01.2010 16:34, schrieb Frank Lahm: # ./configure --with-openssl-dir=no|grep -i ssl checking for SSL... /usr (enabling RANDNUM and DHX support) SSL: CFLAGS = -I/usr/include/openssl ./configure --help | grep ssl --with-ssl-dir=PATH specify path to OpenSSL installation (must contain This adds nothing to the discussion. Jonas believed that he can explicitely disable linking against OpenSSL by passing --with-openssl-dir=no to the configure call - which is obviously not true. -- Dipl.-Phys. Fabian Greffrath Ruhr-Universität Bochum Lehrstuhl für Energieanlagen und Energieprozesstechnik (LEAT) Universitätsstr. 150, IB 3/134 D-44780 Bochum Telefon: +49 (0)234 / 32-26334 Fax: +49 (0)234 / 32-14227 E-Mail: greffr...@leat.ruhr-uni-bochum.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#565969: Re: Bug#565969: netatalk: Please avoid accidental linking against libssl [was: GPL-licensed software linked against libssl on buildds!]
2010/1/20 Fabian Greffrath greffr...@leat.rub.de: Am 20.01.2010 16:34, schrieb Frank Lahm: # ./configure --with-openssl-dir=no|grep -i ssl checking for SSL... /usr (enabling RANDNUM and DHX support) SSL: CFLAGS = -I/usr/include/openssl ./configure --help | grep ssl --with-ssl-dir=PATH specify path to OpenSSL installation (must contain This adds nothing to the discussion. *cough* Jonas believed that he can explicitely disable linking against OpenSSL by passing --with-openssl-dir=no to the configure call - which is obviously not true. I kindly suggest you compare --with-openssl-dir against --with-ssl-dir char by char. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org