GNU bug report logs -
#34717
GPL and Openssl incompatibilities in u-boot and possibly others
Previous Next
To reply to this bug, email your comments to 34717 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sun, 03 Mar 2019 01:59:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vagrant Cascadian <vagrant <at> debian.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 03 Mar 2019 01:59:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The u-boot package definition includes openssl amoung it's inputs, but
is also a GPL2+ software project... but the GPL and OpenSSL licenses are
incompatible:
https://www.gnu.org/licenses/license-list.html#OpenSSL
It doesn't explain the details of *why* they're incompatibly, which is
astoundingly unhelpful. The best explanation I've found is here:
https://people.gnome.org/~markmc/openssl-and-the-gpl.html
Essentially, the Openssl/SSLeay license(s) place additional restrictions
requiring "advertising" clause when distributing in binary form, while
the GPL forbids placing additional restrictions on distribution.
I'm not sure if there's a simple way to search for other packages with
license:gpl and openssl as an input in order to do a quick pass at
auditing... some packages may use the openssl binary as part of the
build process or tests, and not linking any GPLed code against it; in
those cases there would be no license conflict.
Since I believe the incompatibility is only invoked when distributing
binaries, GNU Guix may be in an interesting position to at least make a
simple workaround for affected packages by using:
(arguments `(#:substitutable? #f))
Thus disabling substitutes. Though it poses a curious philosophical
question weather that is an acceptible/appropriate workaround for GNU
Guix...
In the Debian u-boot packaging, some of the features using openssl are
disabled, and some of the u-boot targets that require openssl are not
part of the packages. I'd be happy to help with making such adjustments
if this is deemed the better approach for u-boot specifically.
Other more long-term approaches:
Patch (and submit upstream) the affected packages to support using other
GPL compatible libraries, such as gnutls.
If upstream is reasonably able to add a license exception, that could
also resolve the issue:
https://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Wed, 06 Mar 2019 15:16:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Hi Vagrant,
Vagrant Cascadian <vagrant <at> debian.org> skribis:
> The u-boot package definition includes openssl amoung it's inputs, but
> is also a GPL2+ software project... but the GPL and OpenSSL licenses are
> incompatible:
>
> https://www.gnu.org/licenses/license-list.html#OpenSSL
Thanks for bringing it up.
> I'm not sure if there's a simple way to search for other packages with
> license:gpl and openssl as an input in order to do a quick pass at
> auditing... some packages may use the openssl binary as part of the
> build process or tests, and not linking any GPLed code against it; in
> those cases there would be no license conflict.
openssl <at> 1.0 has 7,029 dependent packages, so it may be hard to sort it
out. I wonder what would be the best way to approach it.
> Since I believe the incompatibility is only invoked when distributing
> binaries, GNU Guix may be in an interesting position to at least make a
> simple workaround for affected packages by using:
>
> (arguments `(#:substitutable? #f))
>
> Thus disabling substitutes. Though it poses a curious philosophical
> question weather that is an acceptible/appropriate workaround for GNU
> Guix...
Hmm yeah, that doesn’t sound right. :-)
> In the Debian u-boot packaging, some of the features using openssl are
> disabled, and some of the u-boot targets that require openssl are not
> part of the packages. I'd be happy to help with making such adjustments
> if this is deemed the better approach for u-boot specifically.
That’d be great. We could definitely remove the OpenSSL dependency when
it’s not needed.
In cases where it is needed, it would be nice to see what it’s used
for. Many projects use OpenSSL just for its cryptographic hash
functions, for example, and there’s plenty of options to choose from if
that’s all that’s needed (Gcrypt, Nettle, etc.).
I guess this should be discussed with upstream.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Wed, 06 Mar 2019 18:13:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
> openssl <at> 1.0 has 7,029 dependent packages, so it may be hard to sort it
> out. I wonder what would be the best way to approach it.
I can't believe I seriously suggest the following but:
A license algebra and guix commands that automate part of the lawyering,
by using the "license" field of the packages, which would now have at
least "and-license" and "or-license" operators and maybe also finer-grained
ones, and a placeholder for "it's too difficult, sort it out manually"
(maybe just detect the list we have now as "it's too difficult").
If we do it, we should add a disclaimer that it doesn't replace the need
for legal counsel entirely.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Thu, 07 Mar 2019 04:18:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2019-03-06, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>
>> The u-boot package definition includes openssl amoung it's inputs, but
>> is also a GPL2+ software project... but the GPL and OpenSSL licenses are
>> incompatible:
>>
>> https://www.gnu.org/licenses/license-list.html#OpenSSL
>
> Thanks for bringing it up.
>
>> I'm not sure if there's a simple way to search for other packages with
>> license:gpl and openssl as an input in order to do a quick pass at
>> auditing... some packages may use the openssl binary as part of the
>> build process or tests, and not linking any GPLed code against it; in
>> those cases there would be no license conflict.
>
> openssl <at> 1.0 has 7,029 dependent packages, so it may be hard to sort it
> out. I wonder what would be the best way to approach it.
How many of them are also license:gpl* though? That would hopefully
reduce the scope somewhat, or maybe even significantly...
If "guix package --search= ..." could be extended to to also search
other fields, e.g. license: and dependencies: ... it might not be so
difficult a search.
>> In the Debian u-boot packaging, some of the features using openssl are
>> disabled, and some of the u-boot targets that require openssl are not
>> part of the packages. I'd be happy to help with making such adjustments
>> if this is deemed the better approach for u-boot specifically.
>
> That’d be great. We could definitely remove the OpenSSL dependency when
> it’s not needed.
For what it's worth, I did do local builds of all the current u-boot-*
targets in guix with openssl removed from inputs, and the only one that
failed to build without openssl was u-boot-tools.
> In cases where it is needed, it would be nice to see what it’s used
> for. Many projects use OpenSSL just for its cryptographic hash
> functions, for example, and there’s plenty of options to choose from if
> that’s all that’s needed (Gcrypt, Nettle, etc.).
I think it is using it for generating and verifying rsa signatures, and
probably other similar basic things. So far I had only thought about
gnutls, but if gcrypt or nettle are other options, then so much the
better.
I briefly looked at gnutls's openssl compatibility layers, but it didn't
seem to implement sufficiently similar include files, which is largely
all that it is doing.
> I guess this should be discussed with upstream.
I did bring it upstream a little over a year ago, and the response was
pretty much to rewrite it with gnutls, and I pointed out the most likely
files that needed updating:
https://lists.denx.de/pipermail/u-boot/2017-November/312483.html
https://lists.denx.de/pipermail/u-boot/2017-December/313616.html
https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
I suspect it's pretty much a "patches accepted" sort of scenario.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Thu, 07 Mar 2019 23:03:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2019-03-06, Vagrant Cascadian wrote:
> On 2019-03-06, Ludovic Courtès wrote:
>> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>>> The u-boot package definition includes openssl amoung it's inputs, but
>>> is also a GPL2+ software project... but the GPL and OpenSSL licenses are
>>> incompatible:
>>>
>>> https://www.gnu.org/licenses/license-list.html#OpenSSL
...
>>> In the Debian u-boot packaging, some of the features using openssl are
>>> disabled, and some of the u-boot targets that require openssl are not
>>> part of the packages. I'd be happy to help with making such adjustments
>>> if this is deemed the better approach for u-boot specifically.
>>
>> That’d be great. We could definitely remove the OpenSSL dependency when
>> it’s not needed.
>
> For what it's worth, I did do local builds of all the current u-boot-*
> targets in guix with openssl removed from inputs, and the only one that
> failed to build without openssl was u-boot-tools.
I've tested that the attached patch builds all u-boot-* targets on
x86_64 (cross-building most of them), with openssl removed from
native-inputs.
Unfortunately, u-boot-tools fails it's tests on aarch64 and armhf, but
that appears to be the case with or without this patch, so it's no worse
off than it was...
I'm not sure where it would be appropriate to add more comments
regarding the GPL/Openssl incompatibilities; e.g. if someone were to
propose adding one of the u-boot targets that requires it, they might
just go ahead and re-add the openssl input...
live well,
vagrant
[0001-gnu-u-boot-Remove-openssl-input.patch (text/x-diff, inline)]
From ee613387c49ca60905e0a40af8af017828c8aec8 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant <at> debian.org>
Date: Thu, 7 Mar 2019 21:50:58 +0000
Subject: [PATCH] gnu: u-boot: Remove openssl input.
Fixes: https://bugs.gnu.org/34717
* gnu/packages/bootloaders (u-boot): Remove openssl from native-inputs.
(u-boot-tools): Disable FIT_SIGNATURES in tests.
---
gnu/packages/bootloaders.scm | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index b0617f452a..15953ab75e 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -391,7 +391,6 @@ tree binary files. These are board description files used by Linux and BSD.")
("dtc" ,dtc)
("flex" ,flex)
("lz4" ,lz4)
- ("openssl" ,openssl)
("python-2" ,python-2)
("python2-coverage" ,python2-coverage)
("python2-pytest" ,python2-pytest)
@@ -440,9 +439,14 @@ also initializes the boards (RAM etc).")
(("def test_ctrl_c")
"@pytest.mark.skip(reason='Guix has problems with SIGINT')
def test_ctrl_c"))
- ;; This test requires a sound system, which is un-used in u-boot-tools.
(for-each (lambda (file)
(substitute* file
+ ;; Disable signatures, due to GPL/Openssl
+ ;; license incompatibilities. See
+ ;; https://bugs.gnu.org/34717 for details.
+ (("CONFIG_FIT_SIGNATURE=y") "CONFIG_FIT_SIGNATURE=n")
+ ;; This test requires a sound system, which is un-used
+ ;; in u-boot-tools.
(("CONFIG_SOUND=y") "CONFIG_SOUND=n")))
(find-files "configs" "sandbox_.*defconfig$"))
#t))
--
2.20.1
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 08 Mar 2019 10:00:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
> I can't believe I seriously suggest the following but:
>
> A license algebra [...]
Yeah, licensing is anything but an algebra, so let’s not take that path.
:-)
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 08 Mar 2019 10:09:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Hi
Vagrant Cascadian <vagrant <at> debian.org> skribis:
> On 2019-03-06, Ludovic Courtès wrote:
[...]
>> openssl <at> 1.0 has 7,029 dependent packages, so it may be hard to sort it
>> out. I wonder what would be the best way to approach it.
>
> How many of them are also license:gpl* though? That would hopefully
> reduce the scope somewhat, or maybe even significantly...
>
> If "guix package --search= ..." could be extended to to also search
> other fields, e.g. license: and dependencies: ... it might not be so
> difficult a search.
Here’s an estimate:
--8<---------------cut here---------------start------------->8---
$ guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' |grep ^name| wc -l
265
--8<---------------cut here---------------end--------------->8---
You can view the list of packages like this:
--8<---------------cut here---------------start------------->8---
guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' -p name,version
--8<---------------cut here---------------end--------------->8---
>>> In the Debian u-boot packaging, some of the features using openssl are
>>> disabled, and some of the u-boot targets that require openssl are not
>>> part of the packages. I'd be happy to help with making such adjustments
>>> if this is deemed the better approach for u-boot specifically.
>>
>> That’d be great. We could definitely remove the OpenSSL dependency when
>> it’s not needed.
>
> For what it's worth, I did do local builds of all the current u-boot-*
> targets in guix with openssl removed from inputs, and the only one that
> failed to build without openssl was u-boot-tools.
Not that bad!
>> In cases where it is needed, it would be nice to see what it’s used
>> for. Many projects use OpenSSL just for its cryptographic hash
>> functions, for example, and there’s plenty of options to choose from if
>> that’s all that’s needed (Gcrypt, Nettle, etc.).
>
> I think it is using it for generating and verifying rsa signatures, and
> probably other similar basic things. So far I had only thought about
> gnutls, but if gcrypt or nettle are other options, then so much the
> better.
>
> I briefly looked at gnutls's openssl compatibility layers, but it didn't
> seem to implement sufficiently similar include files, which is largely
> all that it is doing.
Yeah, GnuTLS’ OpenSSL compat layer has been bitrotting since forever.
But really rather than GnuTLS they should target one of these crypto
libraries, which seem to be a better fit.
>> I guess this should be discussed with upstream.
>
> I did bring it upstream a little over a year ago, and the response was
> pretty much to rewrite it with gnutls, and I pointed out the most likely
> files that needed updating:
>
> https://lists.denx.de/pipermail/u-boot/2017-November/312483.html
> https://lists.denx.de/pipermail/u-boot/2017-December/313616.html
> https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
>
> I suspect it's pretty much a "patches accepted" sort of scenario.
I guess “we” should consider doing it at some point. Changing the RSA
signature code to use another API can’t be that hard™. ;-)
I see from the message above that PEM encoding/decoding may also be
needed, which Gcrypt doesn’t provide.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 08 Mar 2019 10:17:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> Here’s an estimate:
Oops, I was doing an “or” instead of an “and”; here’s the fix:
--8<---------------cut here---------------start------------->8---
$ guix package -s "" |recsel -e 'license ~ "GPL" && dependencies ~ "openssl"' |grep ^name | wc -l
154
--8<---------------cut here---------------end--------------->8---
Still a lot, and that doesn’t take into account indirect GPL dependents.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 08 Mar 2019 10:24:01 GMT)
Full text and
rfc822 format available.
Message #29 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Hi,
Vagrant Cascadian <vagrant <at> debian.org> skribis:
> I've tested that the attached patch builds all u-boot-* targets on
> x86_64 (cross-building most of them), with openssl removed from
> native-inputs.
>
> Unfortunately, u-boot-tools fails it's tests on aarch64 and armhf, but
> that appears to be the case with or without this patch, so it's no worse
> off than it was...
This can be fixed separately then.
> I'm not sure where it would be appropriate to add more comments
> regarding the GPL/Openssl incompatibilities; e.g. if someone were to
> propose adding one of the u-boot targets that requires it, they might
> just go ahead and re-add the openssl input...
There’s always a risk. I guess we’ll have to be careful when doing
reviews.
In addition, we can add a ‘lint’ checker for this case, WDYT?
> From ee613387c49ca60905e0a40af8af017828c8aec8 Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant <at> debian.org>
> Date: Thu, 7 Mar 2019 21:50:58 +0000
> Subject: [PATCH] gnu: u-boot: Remove openssl input.
>
> Fixes: https://bugs.gnu.org/34717
>
> * gnu/packages/bootloaders (u-boot): Remove openssl from native-inputs.
> (u-boot-tools): Disable FIT_SIGNATURES in tests.
Applied, thanks!
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 08 Mar 2019 19:15:01 GMT)
Full text and
rfc822 format available.
Message #32 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2019-03-08, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>> I'm not sure where it would be appropriate to add more comments
>> regarding the GPL/Openssl incompatibilities; e.g. if someone were to
>> propose adding one of the u-boot targets that requires it, they might
>> just go ahead and re-add the openssl input...
>
> There’s always a risk. I guess we’ll have to be careful when doing
> reviews.
Sure. I was thinking maybe putting a comment in the native-inputs where
"openssl" was removed, but wasn't sure what the conventions might be.
> In addition, we can add a ‘lint’ checker for this case, WDYT?
Does the lint checker have a way to identify a confidence level,
e.g. *maybe* it has this issue vs. *certainly*? Is there a way to
override the lint checker issues for known false positives? Otherwise,
it might just be annoying noise for packagers where it isn't
appropriate.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sat, 09 Mar 2019 21:58:02 GMT)
Full text and
rfc822 format available.
Message #35 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Vagrant Cascadian <vagrant <at> debian.org> skribis:
> On 2019-03-08, Ludovic Courtès wrote:
>> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>>> I'm not sure where it would be appropriate to add more comments
>>> regarding the GPL/Openssl incompatibilities; e.g. if someone were to
>>> propose adding one of the u-boot targets that requires it, they might
>>> just go ahead and re-add the openssl input...
>>
>> There’s always a risk. I guess we’ll have to be careful when doing
>> reviews.
>
> Sure. I was thinking maybe putting a comment in the native-inputs where
> "openssl" was removed, but wasn't sure what the conventions might be.
Yeah that would have worked I guess.
>> In addition, we can add a ‘lint’ checker for this case, WDYT?
>
> Does the lint checker have a way to identify a confidence level,
> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to
> override the lint checker issues for known false positives? Otherwise,
> it might just be annoying noise for packagers where it isn't
> appropriate.
No it doesn’t have that notion of a confidence level.
The warning could be triggered only when a package is GPL’d and has a
direct dependency on OpenSSL (we’d forget about indirect dependencies in
this case.) The noise would be rather limited and justified in this
case, I think. WDYT?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sat, 09 Mar 2019 23:12:03 GMT)
Full text and
rfc822 format available.
Message #38 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2019-03-09, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>> On 2019-03-08, Ludovic Courtès wrote:
>>> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>>> In addition, we can add a ‘lint’ checker for this case, WDYT?
>>
>> Does the lint checker have a way to identify a confidence level,
>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to
>> override the lint checker issues for known false positives? Otherwise,
>> it might just be annoying noise for packagers where it isn't
>> appropriate.
>
> No it doesn’t have that notion of a confidence level.
And I presume no overrides either, given no comment about that?
> The warning could be triggered only when a package is GPL’d and has a
> direct dependency on OpenSSL (we’d forget about indirect dependencies in
> this case.) The noise would be rather limited and justified in this
> case, I think. WDYT?
The openssl package currently ships the "openssl" binary, as well as the
libraries. I suspect there are at least three potential cases where a
package might depend on it:
* Calls the "openssl" binary as part of test suite or run-time. No
licensing compatibility issue, no worries!
* Using include files from the openssl headers; I guess you could search
for "include .* openssl/*.h" in the source code. Might get some false
positives. Can be run without actually even building it.
* Linking against the library which should actually be easy to detect
with ldd or other tools. Would need to build and then run the checks to
be sure.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sun, 10 Mar 2019 04:00:01 GMT)
Full text and
rfc822 format available.
Message #41 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Hi,
Hopefully the OpenSSL re-licensing [0] will help with this problem in the
long-term. At least for code that can be distributed under GPLv3, which
may include u-boot [1].
Best,
Jack
[0] https://www.openssl.org/blog/blog/2018/03/01/last-license/
[1] https://www.denx.de/wiki/U-Boot/Licensing
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sun, 10 Mar 2019 17:14:01 GMT)
Full text and
rfc822 format available.
Message #44 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Hi,
Vagrant Cascadian <vagrant <at> debian.org> skribis:
> On 2019-03-09, Ludovic Courtès wrote:
>> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>>> On 2019-03-08, Ludovic Courtès wrote:
>>>> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>>>> In addition, we can add a ‘lint’ checker for this case, WDYT?
>>>
>>> Does the lint checker have a way to identify a confidence level,
>>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to
>>> override the lint checker issues for known false positives? Otherwise,
>>> it might just be annoying noise for packagers where it isn't
>>> appropriate.
>>
>> No it doesn’t have that notion of a confidence level.
>
> And I presume no overrides either, given no comment about that?
We could arrange for this lint “checker” to honor some per-package
property that would silence it. We do that with the ‘cve’ checker and
the ‘lint-hidden-cve’ property.
>> The warning could be triggered only when a package is GPL’d and has a
>> direct dependency on OpenSSL (we’d forget about indirect dependencies in
>> this case.) The noise would be rather limited and justified in this
>> case, I think. WDYT?
>
> The openssl package currently ships the "openssl" binary, as well as the
> libraries. I suspect there are at least three potential cases where a
> package might depend on it:
>
> * Calls the "openssl" binary as part of test suite or run-time. No
> licensing compatibility issue, no worries!
>
> * Using include files from the openssl headers; I guess you could search
> for "include .* openssl/*.h" in the source code. Might get some false
> positives. Can be run without actually even building it.
>
> * Linking against the library which should actually be easy to detect
> with ldd or other tools. Would need to build and then run the checks to
> be sure.
So for the 1st case we’d definitely need that property to tell ‘lint’
that everything is known-good.
‘guix lint’ does very inexpensive tests, so unpacking the tarball and
grepping it would be beyond its scope. However, if we can provide the
warning and people have a way to silence it, I guess we’re fine?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sat, 16 Mar 2019 00:05:02 GMT)
Full text and
rfc822 format available.
Message #47 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi there! :D
Em 07/03/2019 01:17, Vagrant Cascadian escreveu:
> How many of them are also license:gpl* though? That would hopefully
My Guix pull is from commit d22d246a256814784dfb03437949bdc2efd746a5.
I made a little recsel trick to get all packages licensed under [A]GPL
(any version) and which are dependent on any package licensed under
OpenSSL. However, this doesn't check if the [A]GPL'd packages use the
OpenSSL'd dependencies' library or the object code/executable. That
said, there might be plenty of false entries here.
------------------------------------------------------------------------
$ guix package -s '' | recsel -CR "name,version" -e 'license ~
"([[:space:]]|^)[A]?GPL" && dependencies ~ "([[:space:]]|^)('$(guix
package -s '' | recsel -CR 'name,version' -e 'license ~ "OpenSSL"' | tr
'\n' '|' | sed 's/[[:space:]]/@/g; s/\(\.\)/\\\1/g;
s/|\($\)/\1/g')')([[:space:]]|$)"' | sed 's/ /@/g' | tr '\n' ' '
------------------------------------------------------------------------
This gives the following list:
------------------------------------------------------------------------
neon <at> 0.30.2 fetchmail <at> 6.3.26 git-crypt <at> 0.5.0 socat <at> 1.7.3.2 scribus <at> 1.5.4
389-ds-base <at> 1.4.0.13 bigloo <at> 4.3e1 kdelibs4support <at> 5.55.0 munge <at> 0.5.13
gnunet <at> 0.10.1 mupdf <at> 1.14.0 slurm <at> 17.11.3 sssd <at> 1.16.2 wesnoth <at> 1.14.6
yapet <at> 1.1 keepalived <at> 2.0.5 perl-net-ssleay <at> 1.85 r-ggally <at> 1.4.0
john-the-ripper-jumbo <at> 1.8.0-1 psyclpc <at> 20160821-2.61cf9aa hexchat <at> 2.14.2
glusterfs <at> 3.10.12 openvpn <at> 2.4.7 libesmtp <at> 1.0.6 httping <at> 2.5
clamav <at> 0.101.1 python2-mysqlclient <at> 1.3.13 python-mysqlclient <at> 1.3.13
openrct2 <at> 0.2.1 calibre <at> 3.35.0 encfs <at> 1.9.5 mosh <at> 1.3.2 qbittorrent <at> 4.1.5
mongodb <at> 3.4.10 wimlib <at> 1.13.0 libsignal-protocol-c <at> 2.3.2 kicad <at> 5.0.0
stunnel <at> 5.48 ceph <at> 13.2.2 looking-glass-client <at> a12-182c475
warzone2100 <at> 3.2.3 linuxdcpp <at> 1.1.0 openvswitch <at> 2.10.1 transmission <at> 2.94
gvpe <at> 3.1 ppp <at> 2.4.7 libgit2 <at> 0.27.7 u-boot-novena <at> 2019.01 uwsgi <at> 2.0.18
icecast <at> 2.4.4 rdesktop <at> 1.8.4 gandi.cli <at> 1.3 thc-ipv6 <at> 3.4-0.4bb7257
linux-libre-arm-omap2plus <at> 4.20.13 linux-libre-arm-omap2plus <at> 4.19.26
linux-libre-arm-omap2plus <at> 4.14.104 linux-libre-arm-generic <at> 4.20.13
linux-libre-arm-generic <at> 4.19.26 linux-libre-arm-generic <at> 4.14.104
cadaver <at> 0.23.3 rtorrent <at> 0.9.6 libmesode <at> 0.9.2 restbed <at> 4.6-1.6eb385f
virtuoso-ose <at> 7.2.5 libtorrent <at> 0.13.6 libstrophe <at> 0.9.2
jupyter-guile-kernel <at> 0.0.0-1.a7db924 clementine <at> 1.3.1-2.4619a4c
linux-libre <at> 4.9.161 linux-libre <at> 4.4.176 linux-libre <at> 4.20.13
linux-libre <at> 4.19.26 linux-libre <at> 4.14.104 synergy <at> 1.10.1 moc <at> 2.5.2
netsurf <at> 3.8 git-minimal <at> 2.21.0 kodi <at> 18.1 mysql <at> 5.7.23 strongswan <at> 5.6.3
perl-crypt-openssl-rsa <at> 0.31 perl-crypt-openssl-random <at> 0.13 libcmis <at> 0.5.2
git <at> 2.21.0 hydra <at> 20151030.1ff48da perl-crypt-openssl-bignum <at> 0.09
links <at> 2.18 neomutt <at> 20180716 u-boot-tools <at> 2019.01 burp <at> 2.3.0
u-boot-nintendo-nes-classic-edition <at> 2019.01 cgit <at> 1.2.1 dillo <at> 3.0.5
isync <at> 1.3.0 testdisk <at> 7.0 r-git2r <at> 0.24.0 khtml <at> 5.55.0 tinc <at> 1.0.35
4store <at> 1.1.6 u-boot-a20-olinuxino-micro <at> 2019.01
u-boot-a20-olinuxino-lime2 <at> 2019.01 efitools <at> 1.9.2
u-boot-a20-olinuxino-lime <at> 2019.01 u-boot-bananapi-m2-ultra <at> 2019.01
u-boot-am335x-boneblack <at> 2019.01 u-boot-vexpress-ca9x4 <at> 2019.01
profanity <at> 0.5.1 virt-viewer <at> 7.0 irssi <at> 1.1.2 wesnoth-server <at> 1.14.6
u-boot-puma-rk3399 <at> 2019.01 u-boot-pine64-plus <at> 2019.01 mariadb <at> 10.1.37
u-boot-cubietruck <at> 2019.01 u-boot-cubieboard <at> 2019.01
u-boot-wandboard <at> 2019.01 u-boot-mx6cuboxi <at> 2019.01
u-boot-pinebook <at> 2019.01 u-boot-malta <at> 2019.01 xen <at> 4.11.1 faust <at> 2.5.23
mutt <at> 1.11.3 sbsigntools <at> 0.9.2
------------------------------------------------------------------------
--
- Página com formas de contato:
https://libreplanet.org/wiki/User:Adfeno#vCard
- Ativista do software livre (não confundir com o gratuito). Avaliador
da liberdade de software e de sites.
- Página com lista de contribuições:
https://libreplanet.org/wiki/User:Adfeno#Contribs
- Para uso em escritórios e trabalhos, favor enviar arquivos do padrão
internacional OpenDocument/ODF 1.2 (ISO/IEC 26300-1:2015 e
correlatos). São os .odt/.ods/.odp/odg. O LibreOffice é a suíte de
escritório recomendada para editar tais arquivos.
- Para outros formatos de arquivos, veja:
https://libreplanet.org/wiki/User:Adfeno#Arquivos
- Gosta do meu trabalho? Contrate-me ou doe algo para mim!
https://libreplanet.org/wiki/User:Adfeno#Suporte
- Use comunicações sociais federadas padronizadas, onde o "social"
permanece independente do fornecedor. #DeleteWhatsApp. Use #XMPP
(https://libreplanet.org/wiki/XMPP.pt), #DeleteFacebook
#DeleteInstagram #DeleteTwitter #DeleteYouTube. Use #ActivityPub via
#Mastodon (https://joinmastodon.org/).
- #DeleteNetflix #CancelNetflix. Evite #DRM:
https://www.defectivebydesign.org/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 22 Oct 2021 06:18:01 GMT)
Full text and
rfc822 format available.
Message #50 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2019-03-08, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant <at> debian.org> skribis:
>> I'm not sure where it would be appropriate to add more comments
>> regarding the GPL/Openssl incompatibilities; e.g. if someone were to
>> propose adding one of the u-boot targets that requires it, they might
>> just go ahead and re-add the openssl input...
>
> There’s always a risk. I guess we’ll have to be careful when doing
> reviews.
>
> In addition, we can add a ‘lint’ checker for this case, WDYT?
>
>> From ee613387c49ca60905e0a40af8af017828c8aec8 Mon Sep 17 00:00:00 2001
>> From: Vagrant Cascadian <vagrant <at> debian.org>
>> Date: Thu, 7 Mar 2019 21:50:58 +0000
>> Subject: [PATCH] gnu: u-boot: Remove openssl input.
>>
>> Fixes: https://bugs.gnu.org/34717
>>
>> * gnu/packages/bootloaders (u-boot): Remove openssl from native-inputs.
>> (u-boot-tools): Disable FIT_SIGNATURES in tests.
>
> Applied, thanks!
For the last couple years guix has been applying simple workarounds in
u-boot packages to disable the features that required openssl due to
GPL/openssl license incompatibilities.
I made an attempt at updating guix to u-boot 2021.10, which seems to
have made openssl harder to workaround... many of the u-boot-BOARD
packages now require it, and the previous workarounds to disable openssl
in u-boot-tools seem ineffective.
I see a few ways forward:
* Dig deeper into figuring out how to disable the workarounds...
* Refactor the code that uses openssl to use an alternate
implementation. Upstream would welcome the fixes, at least in
theory. Most promising candidate might be wolfssl, last I looked, but
it may miss some features.
* Convince upstream u-boot to relicense relevent GPLed portions of code
with an openssl exception. Upstream is dubious about this being
practical, largely due to the sheer number of potential contributors
who would have to agree to it.
* ???
While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions
which are GPLv2-only, so that's not as attractive of a way forward as
one might hope for...
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 22 Oct 2021 20:36:01 GMT)
Full text and
rfc822 format available.
Message #53 received at 34717 <at> debbugs.gnu.org (full text, mbox):
On Thu, Oct 21, 2021 at 11:17:03PM -0700, Vagrant Cascadian wrote:
> While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions
> which are GPLv2-only, so that's not as attractive of a way forward as
> one might hope for...
What are other distros doing? Surely we can't be the only group
distributing u-boot?
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 22 Oct 2021 21:16:02 GMT)
Full text and
rfc822 format available.
Message #56 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2021-10-22, Leo Famulari wrote:
> On Thu, Oct 21, 2021 at 11:17:03PM -0700, Vagrant Cascadian wrote:
>> While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions
>> which are GPLv2-only, so that's not as attractive of a way forward as
>> one might hope for...
>
> What are other distros doing? Surely we can't be the only group
> distributing u-boot?
Both fedora and (recently) debian have openssl declared as a system
library, invoking the GPL's system library exception... which I
personally find at best to be a grey area workaround.
I wouldn't be surprised if most distros simply ignore the issue
entirely.
Interestingly, today I was called in on a relevent discussion on the
u-boot mailing list:
https://lists.denx.de/pipermail/u-boot/2021-October/464529.html
Though, it is *possible* that various u-boot-BOARD in some cases doesn't
include any openssl code at all in the resulting binaries, but builds
some tools used during the build process, that are then used to produce
various cryptographic signatures in the build:
https://lists.denx.de/pipermail/u-boot/2021-October/464533.html
If that's true, it should be ok for various boards (though the
possibility of openssl code getting linked in would be hard to
catch).
u-boot-tools would still need a viable workaround, though.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Fri, 22 Oct 2021 21:18:02 GMT)
Full text and
rfc822 format available.
Message #59 received at 34717 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2021-10-21, Vagrant Cascadian wrote:
> For the last couple years guix has been applying simple workarounds in
> u-boot packages to disable the features that required openssl due to
> GPL/openssl license incompatibilities.
>
> I made an attempt at updating guix to u-boot 2021.10, which seems to
> have made openssl harder to workaround... many of the u-boot-BOARD
> packages now require it, and the previous workarounds to disable openssl
> in u-boot-tools seem ineffective.
>
> I see a few ways forward:
>
> * Dig deeper into figuring out how to disable the workarounds...
>
> * Refactor the code that uses openssl to use an alternate
> implementation. Upstream would welcome the fixes, at least in
> theory. Most promising candidate might be wolfssl, last I looked, but
> it may miss some features.
>
> * Convince upstream u-boot to relicense relevent GPLed portions of code
> with an openssl exception. Upstream is dubious about this being
> practical, largely due to the sheer number of potential contributors
> who would have to agree to it.
* Disable substitutes for relevent packages. Technically correct as
license incompatibility is only triggered on transmission of binary,
though maybe missing something about the spirit of the GPL.
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sat, 23 Oct 2021 09:09:01 GMT)
Full text and
rfc822 format available.
Message #62 received at 34717 <at> debbugs.gnu.org (full text, mbox):
Vagrant Cascadian schreef op vr 22-10-2021 om 14:15 [-0700]:
> [...]
> Though, it is *possible* that various u-boot-BOARD in some cases
> doesn't
> include any openssl code at all in the resulting binaries, but builds
> some tools used during the build process, that are then used to
> produce
> various cryptographic signatures in the build:
>
> https://lists.denx.de/pipermail/u-boot/2021-October/464533.html
>
> If that's true, it should be ok for various boards (though the
> possibility of openssl code getting linked in would be hard to
> catch).
Add openssl to #:disallowed-references. Then the build will fail
if the store item has a reference to openssl.
This most likely won't catch uses of the _static_ OpenSSL libraries
though, so the "openssl:static" input would need to be removed for
this approach to work.
Greetings,
Maxime.
--
not hacking on guix for a while, only occassionally looking at IRC logs
and bug reports. E-mails are unsigned until backup is located.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sat, 23 Oct 2021 19:45:02 GMT)
Full text and
rfc822 format available.
Message #65 received at 34717 <at> debbugs.gnu.org (full text, mbox):
On Fri, Oct 22, 2021 at 02:17:33PM -0700, Vagrant Cascadian wrote:
> * Disable substitutes for relevent packages. Technically correct as
> license incompatibility is only triggered on transmission of binary,
> though maybe missing something about the spirit of the GPL.
Maybe, but did anyone with standing ever take action regarding these
licensing incompatibilities?
Perhaps, looking at these issues too closely is also missing something
about the spirit of the GPL.
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sun, 24 Oct 2021 08:54:01 GMT)
Full text and
rfc822 format available.
Message #68 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Oct 22, 2021 at 02:17:33PM -0700, Vagrant Cascadian wrote:
>> * Disable substitutes for relevent packages. Technically correct as
>> license incompatibility is only triggered on transmission of binary,
>> though maybe missing something about the spirit of the GPL.
>
> Maybe, but did anyone with standing ever take action regarding these
> licensing incompatibilities?
>
> Perhaps, looking at these issues too closely is also missing something
> about the spirit of the GPL.
It just needs one person. Also see this weeks newsletter from Cory
Doctorov on the lawsuit against Vizio. It might soon only take one user.
Best get licensing problems fixed sooner than later. GPLv2-only is a
problem quickly getting closer.
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#34717; Package
guix.
(Sun, 24 Oct 2021 08:54:02 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 182 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.