Debian Bug report logs - #979095
Legally problematic GPL-3+ readline dependency

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bastiangermann@fishpost.de>

To: submit@bugs.debian.org

Subject: Legally problematic GPL-3+ readline dependency

Date: Sat, 2 Jan 2021 18:36:38 +0100

Package: multipath-tools
Severity: important

This package depends on libreadline8 which is GPL-3+ licensed. According 
to debian/copyright parts of your package are GPL-2-only licensed. If 
that is also (transitively) the case for the binaries that link with 
libreadline.so.8 it might be legally problematic (see 
https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility).

There is an easy solution to the problem: Replacing the build dependency 
libreadline-dev with libeditreadline-dev links with the BSD-licensed 
libedit library which is a readline replacement.

Message #10 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Bastian Germann <bastiangermann@fishpost.de>, 979095@bugs.debian.org

Cc: debian-legal@lists.debian.org

Subject: Re: Bug#979095: Legally problematic GPL-3+ readline dependency

Date: Sun, 03 Jan 2021 14:17:05 +0530

[Message part 1 (text/plain, inline)]

Thank you for filing this bug report.

Adding debian-legal to see if there's anyone with a good recommendation
to this mess.

On Sat, 2021-01-02 at 18:36 +0100, Bastian Germann wrote:
> Package: multipath-tools
> Severity: important
> 
> This package depends on libreadline8 which is GPL-3+ licensed.
> According 
> to debian/copyright parts of your package are GPL-2-only licensed. If
> that is also (transitively) the case for the binaries that link with 
> libreadline.so.8 it might be legally problematic (see 
> https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility).
> 

multipath-tools is mixed bag of licenses. The last time I checked on
it, the results weren't optimum.

https://www.redhat.com/archives/dm-devel/2016-July/msg00508.html

> There is an easy solution to the problem: Replacing the build
> dependency 
> libreadline-dev with libeditreadline-dev links with the BSD-licensed 
> libedit library which is a readline replacement.

Thanks for the input. Lets see what best way to handle this.

I personally would prefer to stick with the GNU Readline library but
that is just a personal preference and not a strong opinion.

I see there's a GPL2 variant of the library but under the Debian QA
Group. And the last upload to the package is from 2015

Fedora (not that I treat their judgment as the right thing) is linking
to GNU Readline 8. Not sure if Ubuntu is doing anything different.
https://koji.fedoraproject.org/koji/rpminfo?rpmID=23332353


Please do feel free to raise the severity, in case you do not see any
progress on this bug report, over time.


Thanks,
Ritesh

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bastiangermann@fishpost.de>

To: 979095@bugs.debian.org

Subject: Re: Bug#979095: Legally problematic GPL-3+ readline dependency

Date: Wed, 6 Oct 2021 19:31:27 +0200

Severity: serious

On Sun, 03 Jan 2021 14:17:05 +0530 Ritesh Raj Sarraf <rrs@debian.org> wrote:

> I personally would prefer to stick with the GNU Readline library but
> that is just a personal preference and not a strong opinion.
> 
> I see there's a GPL2 variant of the library but under the Debian QA
> Group. And the last upload to the package is from 2015

That is gone. The only alternative in Debian is libedit currently.

> Please do feel free to raise the severity, in case you do not see any
> progress on this bug report, over time.

Doing that now.

Message #22 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: 979095@bugs.debian.org

Subject: Re: Bug#979095: Legally problematic GPL-3+ readline dependency

Date: Wed, 13 Oct 2021 23:57:00 +0200

On Sun, 03 Jan 2021 14:17:05 +0530 Ritesh Raj Sarraf <rrs@debian.org> wrote:
> On Sat, 2021-01-02 at 18:36 +0100, Bastian Germann wrote:
> > This package depends on libreadline8 which is GPL-3+ licensed.
> > According 
> > to debian/copyright parts of your package are GPL-2-only licensed. If
> > that is also (transitively) the case for the binaries that link with 
> > libreadline.so.8 it might be legally problematic (see 
> > https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility).
> > 
> 
> multipath-tools is mixed bag of licenses. The last time I checked on
> it, the results weren't optimum.
> 
> https://www.redhat.com/archives/dm-devel/2016-July/msg00508.html

As you noted there, libmultipath/prioritizers/ontap.c is GPL-2-only 
licensed, amongst other files in libmultipath. So libmultipath is 
GPL-2-only.

multipathd links with libreadline (GPL-3+) and libmultipath 
(GPL-2-only). Even though the effective license of multipathd alone 
seems to be LGPL-2.0, linking with both of these licenses is not okay.

Message #27 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bastiangermann@fishpost.de>

To: 979095@bugs.debian.org

Subject: Re: Legally problematic GPL-3+ readline dependency

Date: Thu, 14 Oct 2021 09:52:51 +0200

On Sat, 2 Jan 2021 18:36:38 +0100 Bastian Germann <bastiangermann@fishpost.de> wrote:

> There is an easy solution to the problem: Replacing the build dependency 
> libreadline-dev with libeditreadline-dev links with the BSD-licensed 
> libedit library which is a readline replacement.

You will need the patch at 
https://listman.redhat.com/archives/dm-devel/2021-October/msg00144.html to build v0.8.5 
with libedit.

Message #32 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Chris Hofstaedtler <chris@hofstaedtler.name>

To: Bastian Germann <bastiangermann@fishpost.de>, 979095@bugs.debian.org

Subject: Re: Bug#979095: Legally problematic GPL-3+ readline dependency

Date: Thu, 14 Oct 2021 10:15:41 +0200

* Bastian Germann <bastiangermann@fishpost.de> [211014 09:57]:
> On Sat, 2 Jan 2021 18:36:38 +0100 Bastian Germann <bastiangermann@fishpost.de> wrote:
> 
> > There is an easy solution to the problem: Replacing the build dependency
> > libreadline-dev with libeditreadline-dev links with the BSD-licensed
> > libedit library which is a readline replacement.
> 
> You will need the patch at
> https://listman.redhat.com/archives/dm-devel/2021-October/msg00144.html to
> build v0.8.5 with libedit.

I would imagine that patch needs at least a Signed-off-by.

Chris

Message #37 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bastiangermann@fishpost.de>

To: Chris Hofstaedtler <chris@hofstaedtler.name>, 979095@bugs.debian.org

Subject: Re: Bug#979095: Legally problematic GPL-3+ readline dependency

Date: Thu, 14 Oct 2021 10:38:18 +0200

Am 14.10.21 um 10:15 schrieb Chris Hofstaedtler:
> * Bastian Germann <bastiangermann@fishpost.de> [211014 09:57]:
>> On Sat, 2 Jan 2021 18:36:38 +0100 Bastian Germann <bastiangermann@fishpost.de> wrote:
>>
>>> There is an easy solution to the problem: Replacing the build dependency
>>> libreadline-dev with libeditreadline-dev links with the BSD-licensed
>>> libedit library which is a readline replacement.
>>
>> You will need the patch at
>> https://listman.redhat.com/archives/dm-devel/2021-October/msg00144.html to
>> build v0.8.5 with libedit.
> 
> I would imagine that patch needs at least a Signed-off-by.

It has my Signed-off-by. Another S-o-b might be necessary for upstream inclusion but why 
is that relevant for the Debian package?

Message #42 received at 979095@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <bage@debian.org>

To: 979095@bugs.debian.org

Subject: Re: Legally problematic GPL-3+ readline dependency

Date: Fri, 15 Apr 2022 23:43:33 +0200

On Thu, 14 Oct 2021 09:52:51 +0200 Bastian Germann wrote:
> On Sat, 2 Jan 2021 18:36:38 +0100 Bastian Germann wrote:
> 
> > There is an easy solution to the problem: Replacing the build dependency 
> > libreadline-dev with libeditreadline-dev links with the BSD-licensed 
> > libedit library which is a readline replacement.
> 
> You will need the patch at 
> https://listman.redhat.com/archives/dm-devel/2021-October/msg00144.html to build v0.8.5 
> with libedit.

Just for the record: The same is still true for 0.8.8. Please apply the changes.

Message #51 received at 979095-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 979095-close@bugs.debian.org

Subject: Bug#979095: fixed in multipath-tools 0.9.0-4

Date: Sat, 13 Aug 2022 13:34:27 +0000

Source: multipath-tools
Source-Version: 0.9.0-4
Done: Chris Hofstaedtler <zeha@debian.org>

We believe that the bug you reported is fixed in the latest version of
multipath-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 979095@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated multipath-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 13 Aug 2022 13:08:06 +0000
Source: multipath-tools
Architecture: source
Version: 0.9.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian DM Multipath Team <team+linux-blocks@tracker.debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Closes: 979095 1016583
Changes:
 multipath-tools (0.9.0-4) unstable; urgency=medium
 .
   [ Chris Lamb ]
   * [3a71447] Make the build reproducible (Closes: #1016583)
 .
   [ Chris Hofstaedtler ]
   * [d815e6b] Use libedit instead of libreadline.
     Using patches from openSUSE, expected to go upstream in the next
     release.
     Thanks to Martin Wilck <mwilck@suse.com>, Bastian Germann <bastiangermann@fishpost.de>
     (Closes: #979095)
   * [f0e62a1] Add more patches from openSUSE to fix small bugs
Checksums-Sha1:
 f1896cbca16bb85c54f894245057a9de6e74e18b 2572 multipath-tools_0.9.0-4.dsc
 3c030aee7f87adc6aba649db307f842123f8d2d3 30280 multipath-tools_0.9.0-4.debian.tar.xz
 ee9685dcc4c56b2f5b2a357d2bd5ceb2ae48151a 7419 multipath-tools_0.9.0-4_source.buildinfo
Checksums-Sha256:
 623eb01853ad4e9f2984c2e8e444c1c5fa4318d86a44a8d753e65d5c4a324c56 2572 multipath-tools_0.9.0-4.dsc
 71d575d186ef649e42f9d15b6cb22f4b08b5b710cf299e4b6ef6ab7bc232ee9a 30280 multipath-tools_0.9.0-4.debian.tar.xz
 e38d76694c75ca1265770210863b662c99348f74c71386b569a8311aff59479f 7419 multipath-tools_0.9.0-4_source.buildinfo
Files:
 cc593ba806dbe89495476e8393ae7b3d 2572 admin optional multipath-tools_0.9.0-4.dsc
 98aafe7baff1b42b9f8ff0ce7036ff32 30280 admin optional multipath-tools_0.9.0-4.debian.tar.xz
 3b9d908688060bff49549f11f02cd280 7419 admin optional multipath-tools_0.9.0-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAmL3oxoACgkQXBPW25MF
LgM66Q//YchIOV/A0GTcZ5mnTRR6lQvCexWNNx/6uLbTE5mdpZAKFsYmIOzTd3gl
yQPLtwVvJRQ3I6FDQBkru1KtpvqQWIPCO8JZylydZqZazyDwIZivYClEWilIqsaD
E17chn+TQ2A/09To9LPaZxlR9ls3kJMgozyLtu4EFI6ANSymR/pqF3KdNb+nzCXs
ZzU2sTmhB2nFgMSXeFG0vc0cyKStmmJFHDqeylzPNBcLLg23PWwO5q1AKB8XjM5x
C4UdkOFfNOvtNmuz3ajKfoKuxOeaX5kuXNmtAyva/iqbWfCjeB8GhohloulYTh9l
A9QKG2rQ65MESfvE/+wQVTU5f8Grq5UQXo4Ex9gwXG0hrkcuUsAWFsrp8sYaiK0A
rJxh+keWRFKnh8XTfzidgFuA7msbYzUU7PgKTiADHvL7g8HmF3UOLL/3pdrTShfV
fw25cOYvptbXkFJPg4nGv5Jd9qBGdTdLNFHyS6EJFMeXEifN2N+5cxKff7O8e1Kx
mfngOqd92aGRr5fImk2bCec+TFOyAHmjyqum7zVxapt5O5+i2V0eg2r7efCsSfzN
SUWnjfHA/3dc05FRGpJXNlwvucXRKdHXpwoNrCgpsYzadY+Yq0TPzUkEmV90Ddms
TA3zSMVaXCQvoWzofjRSCsnxZiboTIziH2DIL+h6jcSYwkroMrQ=
=uOeO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.