From: "Ludovic Courtès" <ludo@gnu.org>
To: Vagrant Cascadian <vagrant@debian.org>
Cc: 34717@debbugs.gnu.org
Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others
Date: Sun, 10 Mar 2019 18:12:54 +0100 [thread overview]
Message-ID: <87tvga3b6x.fsf@gnu.org> (raw)
In-Reply-To: <871s3f1w5d.fsf@ponder> (Vagrant Cascadian's message of "Sat, 09 Mar 2019 15:10:54 -0800")
Hi,
Vagrant Cascadian <vagrant@debian.org> skribis:
> On 2019-03-09, Ludovic Courtès wrote:
>> Vagrant Cascadian <vagrant@debian.org> skribis:
>>> On 2019-03-08, Ludovic Courtès wrote:
>>>> Vagrant Cascadian <vagrant@debian.org> skribis:
>>>> In addition, we can add a ‘lint’ checker for this case, WDYT?
>>>
>>> Does the lint checker have a way to identify a confidence level,
>>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to
>>> override the lint checker issues for known false positives? Otherwise,
>>> it might just be annoying noise for packagers where it isn't
>>> appropriate.
>>
>> No it doesn’t have that notion of a confidence level.
>
> And I presume no overrides either, given no comment about that?
We could arrange for this lint “checker” to honor some per-package
property that would silence it. We do that with the ‘cve’ checker and
the ‘lint-hidden-cve’ property.
>> The warning could be triggered only when a package is GPL’d and has a
>> direct dependency on OpenSSL (we’d forget about indirect dependencies in
>> this case.) The noise would be rather limited and justified in this
>> case, I think. WDYT?
>
> The openssl package currently ships the "openssl" binary, as well as the
> libraries. I suspect there are at least three potential cases where a
> package might depend on it:
>
> * Calls the "openssl" binary as part of test suite or run-time. No
> licensing compatibility issue, no worries!
>
> * Using include files from the openssl headers; I guess you could search
> for "include .* openssl/*.h" in the source code. Might get some false
> positives. Can be run without actually even building it.
>
> * Linking against the library which should actually be easy to detect
> with ldd or other tools. Would need to build and then run the checks to
> be sure.
So for the 1st case we’d definitely need that property to tell ‘lint’
that everything is known-good.
‘guix lint’ does very inexpensive tests, so unpacking the tarball and
grepping it would be beyond its scope. However, if we can provide the
warning and people have a way to silence it, I guess we’re fine?
Thanks,
Ludo’.
next prev parent reply other threads:[~2019-03-10 17:20 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-03 1:58 bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Vagrant Cascadian
2019-03-06 15:15 ` Ludovic Courtès
2019-03-06 18:12 ` Danny Milosavljevic
2019-03-08 9:59 ` Ludovic Courtès
2019-03-07 4:17 ` Vagrant Cascadian
2019-03-07 23:02 ` Vagrant Cascadian
2019-03-08 10:23 ` Ludovic Courtès
2019-03-08 19:14 ` Vagrant Cascadian
2019-03-09 21:57 ` Ludovic Courtès
2019-03-09 23:10 ` Vagrant Cascadian
2019-03-10 3:58 ` Jack Hill
2019-03-10 17:12 ` Ludovic Courtès [this message]
[not found] ` <87y26loa74.fsf@yucca>
[not found] ` <YXMgmR33gtyA8tgZ@jasmine.lan>
[not found] ` <87fsssoj6z.fsf@yucca>
2021-10-23 9:08 ` Maxime Devos
[not found] ` <87cznwoj2q.fsf@yucca>
[not found] ` <YXRmAoyt3X3DNTeX@jasmine.lan>
2021-10-24 8:50 ` Dr. Arne Babenhauserheide
2019-03-08 10:08 ` Ludovic Courtès
2019-03-08 10:16 ` Ludovic Courtès
2019-03-15 23:55 ` Adonay Felipe Nogueira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tvga3b6x.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=34717@debbugs.gnu.org \
--cc=vagrant@debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).