Debian Bug report logs - #1036113
libpurple0: license conflict with libsasl2

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpurple0: license conflict with libsasl2

Date: Mon, 15 May 2023 19:32:40 +0200

Package: libpurple0
Version: 2.14.12-1
Severity: serious

Hi,

libirc.so and libjabber.so.0.0.0 depend on libsasl2-2, which is licensed under CMU's BSD-3-Clause-Attribution license 
and covered by the RSA-MD license. They have clauses in place, which are known to be incompatible with GPL-2+ (as far as 
I can see the mentioned libraries' license). There are several possible solutions to this problem:

1) Build with --disable-cyrus-sasl configuration and get rid of the libsasl2 (Build-)Dependencies.

2) Support my request at #996892.

3) Ask upstream to add a license exception for libsasl2-2, similar to the one that was required by Debian for OpenSSL 
for a long time.

Thanks for your consideration,
Bastian

Message #12 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@wiktel.com>

To: Bastian Germann <bage@debian.org>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Thu, 25 May 2023 21:26:27 -0500

First, I've downgraded the severity on this to "important". We are 
currently in a freeze with a release imminent. Removing pidgin from the 
next Debian release is a significant step that we should not undertake 
lightly. The issue at hand has existed for years, possibly a decade or 
even two, without complaints, so I think we can afford some time here.

Second, looking at #996892, Philipp Hahn already made some points about 
what is and isn't an advertising clause. There is no 
"BSD-3-Clause-Attribution" license in the copyright file that I can see. 
Please identify specifically which license(s) you are talking about, 
using names as they appear in the copyright file for the cyrus-sasl2 
package.

Third, if a system-library exemption is reasonable (or even possible), 
then there isn't actually an incompatibility in the first place.

On 2023-05-15 12:32, Bastian Germann wrote:
> Package: libpurple0
> Version: 2.14.12-1
> Severity: serious
> 
> Hi,
> 
> libirc.so and libjabber.so.0.0.0 depend on libsasl2-2, which is licensed 
> under CMU's BSD-3-Clause-Attribution license and covered by the RSA-MD 
> license. They have clauses in place, which are known to be incompatible 
> with GPL-2+ (as far as I can see the mentioned libraries' license). 
> There are several possible solutions to this problem:
> 
> 1) Build with --disable-cyrus-sasl configuration and get rid of the 
> libsasl2 (Build-)Dependencies.

Then users lose SASL support, which is not great.

> 2) Support my request at #996892.

If we are going to treat OpenSSL as a system library, then I think 
cyrus-sasl is a reasonable contender for the same treatment.

> 3) Ask upstream to add a license exception for libsasl2-2, similar to 
> the one that was required by Debian for OpenSSL for a long time.

3 is not viable due to too many copyright holders.

4) Pidgin could switch SASL implementations. This will be happening for 
Pidgin 3 anyway.


Are the problems just limited to MD5? If so:

5) Replace the MD5 implementation in Cyrus SASL with a different one.

6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code.

7) Cyrus SASL just drops MD5. (That might actually be reasonable 
post-bookworm.)

-- 
Richard

Message #17 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: Richard Laager <rlaager@wiktel.com>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Mon, 29 May 2023 01:00:02 +0200

Am 26.05.23 um 04:26 schrieb Richard Laager:
> Are the problems just limited to MD5? If so:

I do not think so.

> 5) Replace the MD5 implementation in Cyrus SASL with a different one.
> 
> 6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code.

See https://github.com/cyrusimap/cyrus-sasl/issues/513 for an implementation that leaves only one RSA-MD licensed file.

Message #24 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Gary Kramlich <grim@reaperworld.com>

To: Bastian Germann <bage@debian.org>, 1036113@bugs.debian.org

Cc: Richard Laager <rlaager@wiktel.com>

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Mon, 19 Jun 2023 07:15:49 -0500

I am the upstream maintainer.

We can't re-license or grant exceptions to our license as we have
never had a CLA or a DCO and some of our are companies that no longer
exist and there are individuals that are deceased.

This issue is tagging 28 packages total for removal from Debian. All
for a mistake someone made at least 16 years (when we renamed to
pidgin https://salsa.debian.org/debian/pidgin/-/blob/7632fac272011c7bed2c04fbdff32ad1aa31a491/debian/rules).
It does appear that it goes back to when we were still using the name
Gaim but I can't find the Debian packaging for that to figure out the
real date.

At any rate, forcing the removal of these 28 packages seems blatantly
wrong as it's punishing users and will take a non-trivial amount of
time to fix properly.

My suggestion, disable Cyrus-SASL. The only 2 protocols that use it
are IRC and XMPP. XMPP has its own implementations for SASL and falls
back to Cyrus if it needs to, which will of course break those users.
IRC will break for a lot of people and they'll be upset and report
bugs to both Debian and me, but at least they'll still have a pidgin
package and the other 27 related packages.

In the meantime, I suppose I will somehow find the time to get our new
SASL library (not written for this bug and not easily integrated into
Pidgin 2) through the Debian new queue and get Pidgin 2 updated for it
even though that's supposed to be in maintenance only mode. This is
going to cost a considerable amount of development time that'd be
better spent on the new version but this seems to be the only choice
to keep users running for the moment due to the insistence that this
is a "serious" level bug and that libpurple0 should be removed from
Debian because of it.

Ideally, we could just leave this at anything but serious or grave so
the 28 packages that this bug threatens could then stay in Debian for
the time being and no one would have to do any work that's never going
to be part of a stable Debian release.


On Sun, May 28, 2023 at 6:03 PM Bastian Germann <bage@debian.org> wrote:
>
> Am 26.05.23 um 04:26 schrieb Richard Laager:
> > Are the problems just limited to MD5? If so:
>
> I do not think so.
>
> > 5) Replace the MD5 implementation in Cyrus SASL with a different one.
> >
> > 6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code.
>
> See https://github.com/cyrusimap/cyrus-sasl/issues/513 for an implementation that leaves only one RSA-MD licensed file.
>


--
Thanks,

--
Gary Kramlich <grim@reaperworld.com>

Message #29 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@debian.org>

To: Bastian Germann <bage@debian.org>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Tue, 27 Jun 2023 16:34:17 -0500

[Message part 1 (text/plain, inline)]

Bastian,

I see you have raised the severity on this bug again.

What is your goal here?

Cyrus SASL has reverse (binary) dependencies in the ballpark of 7,500. 
Quickly taking that list through UDD gives me just over 4,500 source 
packages. Surely, a large number of those are going to be GPL licensed. 
Is your plan to file Severity: serious bugs against all of them?

  If so, isn't that an MBF that needs discussion on debian-devel first?

  If not, then why are you singling out Pidgin, a project that is
  struggling to stay alive right now?

Your position in bug #996892 is that cyrus-sasl2 / libsasl2 should be 
considered a system library. If libsasl2 can be considered a system 
library, then by your own position, there is no bug in libpurple0. I 
don't see how you can have it both ways.

-- 
Richard

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #34 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: Richard Laager <rlaager@debian.org>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Tue, 27 Jun 2023 23:50:39 +0200

Am 27.06.23 um 23:34 schrieb Richard Laager:
> Cyrus SASL has reverse (binary) dependencies in the ballpark of 7,500. Quickly taking that list through UDD gives me 
> just over 4,500 source packages. Surely, a large number of those are going to be GPL licensed. Is your plan to file 
> Severity: serious bugs against all of them?

No, but at least the ones that directly depend on cyrus-sasl.
There are not many; most reverse dependencies are via libldap.

>    If so, isn't that an MBF that needs discussion on debian-devel first?

I do not have the capacity for a mass bug filing.
Once in a while I will look at the list of direct reverse dependencies and send a bug.

>    If not, then why are you singling out Pidgin, a project that is
>    struggling to stay alive right now?

I am not singling out Pidgin. I have files similar bugs on other direct reverse deps.

> Your position in bug #996892 is that cyrus-sasl2 / libsasl2 should be considered a system library. If libsasl2 can be 
> considered a system library, then by your own position, there is no bug in libpurple0. I don't see how you can have it 
> both ways.

I would like to have a decision on it. No FTP Master has had the time to answer the bug.
As long as there is no official stance from the responsible group in Debian
the library is not to be considered a system library and the serious severity is valid.

If I were the package maintainer I would disable SASL and send the unstable/testing users
who want it back to comment on #996892 to get a decision.

Message #39 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@debian.org>

To: Bastian Germann <bage@debian.org>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Tue, 27 Jun 2023 17:13:32 -0500

[Message part 1 (text/plain, inline)]

Wait a minute... You are a maintainer for cyrus-sasl.

You have already addressed the BSD-4-clause-KTH in the latest upload.

You also fixed debian/copyright to reference BSD-3-Clause-Attribution in 
the latest upload. That license is fine for the reasons I mentioned.

That just leaves the MD5 stuff, right? You have authored a fix for that, 
which it looks like will be merged shortly:
https://github.com/cyrusimap/cyrus-sasl/pull/767

It seems like you can have this fixed any time (by merging in upstream 
#767) and will have it fixed shortly.

So why do I need to do anything?

-- 
Richard

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #44 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: Richard Laager <rlaager@debian.org>

Cc: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Wed, 28 Jun 2023 00:35:15 +0200

Am 28.06.23 um 00:13 schrieb Richard Laager:
> Wait a minute... You are a maintainer for cyrus-sasl.

Just the package maintainer in Debian.

> You have already addressed the BSD-4-clause-KTH in the latest upload.

That is true, which I have noted on the other bug.

> You also fixed debian/copyright to reference BSD-3-Clause-Attribution in the latest upload. That license is fine for the 
> reasons I mentioned.

That is your legal take on it. My take is that BSD-3-Clause-Attribution is GPL-incompatible because it has a further 
restriction on distribution.

> That just leaves the MD5 stuff, right? You have authored a fix for that, which it looks like will be merged shortly:
> https://github.com/cyrusimap/cyrus-sasl/pull/767

If BSD-3-Clause-Attribution was GPL-compatible then, yes, RSA-MD license is the last license that causes an 
GPL-incompatibility.

> It seems like you can have this fixed any time (by merging in upstream #767) and will have it fixed shortly.

I do not have commit access to upstream nor do I have any particular role there.
The last bugfix release took them more than 3 years and when #767 is released is unknown.
Even when that happens, upstream still has to eliminate the last instance of the RSA-MD license.

> So why do I need to do anything?

You don't need to. But you should if you want to keep pidgin in testing.

License compliance will not just magically happen by ignoring the problematic parts in Debian.
Actually, I am also happy when you appeal to any of the Debian bodies (TC?) about the severity of this bug so that there 
is a decision made on it.

Message #49 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@debian.org>

To: Bastian Germann <bage@debian.org>, 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Tue, 27 Jun 2023 21:42:10 -0500

[Message part 1 (text/plain, inline)]

On 2023-06-27 17:35, Bastian Germann wrote:
> Am 28.06.23 um 00:13 schrieb Richard Laager:

> The last bugfix release took them more than 3 years and when #767 is 
> released is unknown.

When a release happens is irrelevant, as you can carry #767 as a patch 
in the Debian package until then.

> Even when that happens, upstream still has to eliminate the last 
> instance of the RSA-MD license.

What is the remaining instance of RSA-MD licensed code after #767?

> License compliance will not just magically happen by ignoring the 
> problematic parts in Debian.

I didn't suggest it would, nor am I ignoring anything. My point is that, 
in this particular case, it seems that you have everything solved or 
close to solved by yourself.

-- 
Richard

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #54 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: Richard Laager <rlaager@debian.org>, 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Wed, 28 Jun 2023 10:14:00 +0200

Am 28.06.23 um 04:42 schrieb Richard Laager:
> What is the remaining instance of RSA-MD licensed code after #767?

https://github.com/cyrusimap/cyrus-sasl/issues/769

Message #59 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Evangelos Ribeiro Tzaras <devrtz@fortysixandtwo.eu>

To: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Sun, 23 Jul 2023 22:42:26 +0200

[Message part 1 (text/plain, inline)]

On Wed, 28 Jun 2023 10:14:00 +0200 Bastian Germann <bage@debian.org> wrote:
> Am 28.06.23 um 04:42 schrieb Richard Laager:
> > What is the remaining instance of RSA-MD licensed code after #767?
> 
> https://github.com/cyrusimap/cyrus-sasl/issues/769

Fyi: that issue has now been closed with
https://github.com/cyrusimap/cyrus-sasl/pull/770

-- 
Cheers,

Evangelos
PGP: B938 6554 B7DD 266B CB8E 29A9 90F0 C9B1 8A6B 4A19

[signature.asc (application/pgp-signature, inline)]

Message #64 received at 1036113@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: 1036113@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Tue, 1 Aug 2023 16:48:12 +0200

Control: severity -1 important

On Sun, 23 Jul 2023 22:42:26 +0200 Evangelos Ribeiro Tzaras wrote:
> Fyi: that issue has now been closed with
> https://github.com/cyrusimap/cyrus-sasl/pull/770
The backport to Debian was done. I am no longer considering this a serious issue as the clearly 
GPL-incompatible RSA-MD is gone from cyrus-sasl2's binaries with the latest version.

Message #71 received at 1036113-done@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@debian.org>

To: 1036113-done@bugs.debian.org

Subject: Re: Bug#1036113: libpurple0: license conflict with libsasl2

Date: Thu, 3 Aug 2023 01:09:42 -0500

[Message part 1 (text/plain, inline)]

That was the last remaining issue, so I am closing this.

I do not consider BSD-3-Clause-Attribution to be GPL incompatible. I 
posted on debian-legal about this and the only response has been in 
agreement.

-- 
Richard

[OpenPGP_signature (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.