Debian Bug report logs -
#798421
Please don't depend specifically on the OpenSSL variant of Curl
Reported by: Josh Triplett <josh@joshtriplett.org>
Date: Wed, 9 Sep 2015 02:39:01 UTC
Severity: serious
Tags: patch
Found in version libgit2/0.23.1-1
Fixed in versions libgit2/0.24.0-2, libgit2/0.23.1-1.1
Done: Josh Triplett <josh@joshtriplett.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, josh@joshtriplett.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Wed, 09 Sep 2015 02:39:05 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libgit2-dev
Version: 0.23.1-1
Severity: wishlist
I'd like to use libgit2 for projects under the GPL. Would you please
consider either building libgit2 against the gnutls version of Curl, or
otherwise making it possible to avoid building with OpenSSL, for the
benefit of GPLed projects?
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#798421; Package libgit2-dev.
(Wed, 09 Sep 2015 02:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Russell Sim <russell.sim@gmail.com>:
Extra info received and forwarded to list.
(Wed, 09 Sep 2015 02:57:03 GMT) (full text, mbox, link).
Message #8 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 9 September 2015 at 12:37, Josh Triplett <josh@joshtriplett.org> wrote:
> I'd like to use libgit2 for projects under the GPL. Would you please
> consider either building libgit2 against the gnutls version of Curl, or
> otherwise making it possible to avoid building with OpenSSL, for the
> benefit of GPLed projects?
>
Fair call, this should be pretty straight forward. I thought it was
required for threading, but this doesn't seem to be the case.
A new version will be released shortly, I can move to the gnutls version of
curl then.
Thanks for looking into this.
--
Cheers,
Russell Sim
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#798421; Package libgit2-dev.
(Wed, 09 Sep 2015 02:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Russell Sim <russell.sim@gmail.com>:
Extra info received and forwarded to list.
(Wed, 09 Sep 2015 02:57:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Wed, 09 Sep 2015 03:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Wed, 09 Sep 2015 03:36:03 GMT) (full text, mbox, link).
Message #18 received at submit@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 09, 2015 at 12:53:42PM +1000, Russell Sim wrote:
> On 9 September 2015 at 12:37, Josh Triplett <josh@joshtriplett.org> wrote:
>
> > I'd like to use libgit2 for projects under the GPL. Would you please
> > consider either building libgit2 against the gnutls version of Curl, or
> > otherwise making it possible to avoid building with OpenSSL, for the
> > benefit of GPLed projects?
> >
>
> Fair call, this should be pretty straight forward. I thought it was
> required for threading, but this doesn't seem to be the case.
>
> A new version will be released shortly, I can move to the gnutls version of
> curl then.
>
> Thanks for looking into this.
Thanks as well for maintaining libgit2 packages!
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Wed, 09 Sep 2015 03:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Wed, 09 Sep 2015 03:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Fri, 18 Sep 2015 10:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Longbons <brlongbons@gmail.com>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Fri, 18 Sep 2015 10:24:03 GMT) (full text, mbox, link).
Message #28 received at 798421@bugs.debian.org (full text, mbox, reply):
For technical measures, the only place in libgit2-dev where curl
matters is in the Libs.private section of the .pc file, which is only
used for static linking. The choice of curl does not form part of the
dynamic library's ABI, other than the fact that if a dependent program
tries to link the other curl as well, it will pull in both and you'll
have DLL hell.
None of this solve the legal problems with OpenSSL, but they're kinda
probably planning relicensing soon ...
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 19 Sep 2015 04:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ben Longbons <brlongbons@gmail.com>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 19 Sep 2015 04:33:04 GMT) (full text, mbox, link).
Message #33 received at 798421@bugs.debian.org (full text, mbox, reply):
Control: severity -1 serious
Actually, you can't afford for this to be wishlist, it's already led
to a license violation of two rdepends.
Looking at the rdepends:
Not okay, GPL:
kate, #799431
libkf5texteditor5, #799430
Looks okay:
libgit2-dbg
libgit2-dev
libgit2-glib-1.0-0
python-pygit2
python3-pygit2
ruby-rugged
Severity set to 'serious' from 'wishlist'
Request was from Ben Longbons <brlongbons@gmail.com>
to 798421-submit@bugs.debian.org.
(Sat, 19 Sep 2015 04:33:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 26 Sep 2015 21:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 26 Sep 2015 21:48:03 GMT) (full text, mbox, link).
Message #40 received at 798421@bugs.debian.org (full text, mbox, reply):
On Fri, 18 Sep 2015 03:21:59 -0700 Ben Longbons <brlongbons@gmail.com> wrote:
> None of this solve the legal problems with OpenSSL, but they're kinda
> probably planning relicensing soon ...
To Apache 2.0, which will provide GPLv3 compatibility but not GPLv2
compatibility. (Still an improvement, though.)
- Josh Triplett
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 26 Sep 2015 21:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 26 Sep 2015 21:48:06 GMT) (full text, mbox, link).
Message #45 received at 798421@bugs.debian.org (full text, mbox, reply):
On Wed, 9 Sep 2015 12:53:42 +1000 Russell Sim <russell.sim@gmail.com> wrote:
> On 9 September 2015 at 12:37, Josh Triplett <josh@joshtriplett.org> wrote:
>
> > I'd like to use libgit2 for projects under the GPL. Would you please
> > consider either building libgit2 against the gnutls version of Curl, or
> > otherwise making it possible to avoid building with OpenSSL, for the
> > benefit of GPLed projects?
> >
>
> Fair call, this should be pretty straight forward. I thought it was
> required for threading, but this doesn't seem to be the case.
>
> A new version will be released shortly, I can move to the gnutls version of
> curl then.
Any update on this bug?
- Josh Triplett
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sun, 18 Oct 2015 20:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sun, 18 Oct 2015 20:42:03 GMT) (full text, mbox, link).
Message #50 received at submit@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 09, 2015 at 12:53:42PM +1000, Russell Sim wrote:
> On 9 September 2015 at 12:37, Josh Triplett <josh@joshtriplett.org> wrote:
>
> > I'd like to use libgit2 for projects under the GPL. Would you please
> > consider either building libgit2 against the gnutls version of Curl, or
> > otherwise making it possible to avoid building with OpenSSL, for the
> > benefit of GPLed projects?
> >
>
> Fair call, this should be pretty straight forward. I thought it was
> required for threading, but this doesn't seem to be the case.
>
> A new version will be released shortly, I can move to the gnutls version of
> curl then.
>
> Thanks for looking into this.
Any update on this issue?
- Josh Triplett
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sun, 18 Oct 2015 20:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sun, 18 Oct 2015 20:42:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 19 Mar 2016 00:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 19 Mar 2016 00:21:04 GMT) (full text, mbox, link).
Message #60 received at 798421@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
I've attached a patch fixing this bug, as well as a patch adding a
changelog entry for an 0.23.1-1.1 NMU.
- Josh Triplett
[0001-Build-with-and-depend-on-libcurl4-gnutls-dev-Closes-.patch (text/x-diff, attachment)]
[0002-debian-changelog-Add-entry-for-0.23.1-1.1-NMU.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Josh Triplett <josh@joshtriplett.org>
to 798421-submit@bugs.debian.org.
(Sat, 19 Mar 2016 00:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 19 Mar 2016 00:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 19 Mar 2016 00:39:05 GMT) (full text, mbox, link).
Message #67 received at 798421@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
In the previous version, I didn't explicitly document dropping the
associated Build-Depends on ca-certificates. The attached version does
so.
- Josh Triplett
[0002-debian-changelog-Add-entry-for-0.23.1-1.1-NMU.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#798421; Package libgit2-dev.
(Sat, 19 Mar 2016 01:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Josh Triplett <josh@joshtriplett.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Sat, 19 Mar 2016 01:15:03 GMT) (full text, mbox, link).
Message #72 received at 798421@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + pending
David Bremner (CCed) uploaded this NMU to DELAYED/7-day.
Added tag(s) pending.
Request was from Josh Triplett <josh@joshtriplett.org>
to 798421-submit@bugs.debian.org.
(Sat, 19 Mar 2016 01:15:03 GMT) (full text, mbox, link).
Reply sent
to Josh Triplett <josh@joshtriplett.org>:
You have taken responsibility.
(Sat, 26 Mar 2016 01:21:05 GMT) (full text, mbox, link).
Notification sent
to Josh Triplett <josh@joshtriplett.org>:
Bug acknowledged by developer.
(Sat, 26 Mar 2016 01:21:05 GMT) (full text, mbox, link).
Message #79 received at 798421-close@bugs.debian.org (full text, mbox, reply):
Source: libgit2
Source-Version: 0.23.1-1.1
We believe that the bug you reported is fixed in the latest version of
libgit2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798421@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Josh Triplett <josh@joshtriplett.org> (supplier of updated libgit2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 18 Mar 2016 17:08:00 -0700
Source: libgit2
Binary: libgit2-dev libgit2-23 libgit2-dbg
Architecture: source
Version: 0.23.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Russell Sim <russell.sim@gmail.com>
Changed-By: Josh Triplett <josh@joshtriplett.org>
Description:
libgit2-23 - low-level Git library
libgit2-dbg - libgit2 library and debugging symbols
libgit2-dev - low-level Git library (development files)
Closes: 798421
Changes:
libgit2 (0.23.1-1.1) unstable; urgency=high
.
* Non-maintainer upload.
* Don't depend on OpenSSL, either directly or indirectly. Build with and
depend on libcurl4-gnutls-dev instead. (Closes: #798421)
* Drop associated Build-Depends on ca-certificates.
Checksums-Sha1:
214a57324a0d52eee15367eb8a89ec4b3b417e5a 1897 libgit2_0.23.1-1.1.dsc
e5f16f8e99525e296216065e04cf869586ff240c 12980 libgit2_0.23.1-1.1.debian.tar.xz
Checksums-Sha256:
c1e682b8db92d33ceac5a93334441b45705a9f2d41a6c9f71419be3c8ec006cb 1897 libgit2_0.23.1-1.1.dsc
ab360308d6dcfd0759d96e34f2e8ea8e55edb33158055a071bd601286def7fc8 12980 libgit2_0.23.1-1.1.debian.tar.xz
Files:
434be80c65b64c079868c7e4cb4f0c17 1897 libs extra libgit2_0.23.1-1.1.dsc
228c85347a75748fc42b845148538158 12980 libs extra libgit2_0.23.1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJW7KNfAAoJEPIClx2kp54sd8QL/3Fe/6xIHwkqLOsaXobOZiUo
x/Hq7blPjTDTdfxSAZIq9W+8SfF0v8J8YYuC6/sq3xC2lh1CXh+1TbfQZ7fyJ2cK
EqvoCLx95zdDKkVM6nZ+Hn8UGGoyc/VLuVi/bktqaw+BOJ+4jWM8eMYVfFYYEu/Q
NEYH0W03KhywVZe8/yUTvccEmwtqCWep7YUJgIzi2G/Ft5qH66dP59GuuYmuTdeA
L4BcjSMaRmxyRc8jdnQcI1gZFJdsc8NMzS+7ybBTUZVQ4yTrarYWg3E2XoTMIqdg
dAXe8EtWyaCOKkDoJm7YaNd+nX03Hvoy/DUG+bYFzkWPh76Docybdtapvnia96zS
6roFONgSB6Eq5Iu9V0Ed5H6t5KbdSfFcKKSq9fs7CZN3WZmGF+nwrLIYFsSzIk46
+2KkSxkGFaB8hu+FTXHQ1SB/iG/kToTM+JcQOjO5Xe7FuX11hDvPpu98VRV29kvo
djbIMgCiwh5oezSvIKj8N5vtDk+XbYMJyS7rhtQCfQ==
=zYFT
-----END PGP SIGNATURE-----
Marked as fixed in versions libgit2/0.24.0-2.
Request was from Andreas Henriksson <andreas@fatal.se>
to control@bugs.debian.org.
(Wed, 20 Apr 2016 12:30:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 08:17:58 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:42:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 6 22:44:48 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.