From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Date: Sun, 10 Mar 2019 18:12:54 +0100 Message-ID: <87tvga3b6x.fsf@gnu.org> References: <87tvgkiurn.fsf@ponder> <87zhq8f2zz.fsf@gnu.org> <87ftrzuxmh.fsf@ponder> <87o96m8f09.fsf@ponder> <871s3his1i.fsf@gnu.org> <87k1h9i3gl.fsf@ponder> <87h8cb4sou.fsf@gnu.org> <871s3f1w5d.fsf@ponder> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:58910) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h327W-0008O2-F2 for bug-guix@gnu.org; Sun, 10 Mar 2019 13:20:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h321S-0004Em-1q for bug-guix@gnu.org; Sun, 10 Mar 2019 13:14:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52944) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h321R-0004Ee-T5 for bug-guix@gnu.org; Sun, 10 Mar 2019 13:14:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1h321R-0003BN-Jv for bug-guix@gnu.org; Sun, 10 Mar 2019 13:14:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <871s3f1w5d.fsf@ponder> (Vagrant Cascadian's message of "Sat, 09 Mar 2019 15:10:54 -0800") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Vagrant Cascadian Cc: 34717@debbugs.gnu.org Hi, Vagrant Cascadian skribis: > On 2019-03-09, Ludovic Court=C3=A8s wrote: >> Vagrant Cascadian skribis: >>> On 2019-03-08, Ludovic Court=C3=A8s wrote: >>>> Vagrant Cascadian skribis: >>>> In addition, we can add a =E2=80=98lint=E2=80=99 checker for this case= , WDYT? >>> >>> Does the lint checker have a way to identify a confidence level, >>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to >>> override the lint checker issues for known false positives? Otherwise, >>> it might just be annoying noise for packagers where it isn't >>> appropriate. >> >> No it doesn=E2=80=99t have that notion of a confidence level. > > And I presume no overrides either, given no comment about that? We could arrange for this lint =E2=80=9Cchecker=E2=80=9D to honor some per-= package property that would silence it. We do that with the =E2=80=98cve=E2=80=99 = checker and the =E2=80=98lint-hidden-cve=E2=80=99 property. >> The warning could be triggered only when a package is GPL=E2=80=99d and = has a >> direct dependency on OpenSSL (we=E2=80=99d forget about indirect depende= ncies in >> this case.) The noise would be rather limited and justified in this >> case, I think. WDYT? > > The openssl package currently ships the "openssl" binary, as well as the > libraries. I suspect there are at least three potential cases where a > package might depend on it: > > * Calls the "openssl" binary as part of test suite or run-time. No > licensing compatibility issue, no worries! > > * Using include files from the openssl headers; I guess you could search > for "include .* openssl/*.h" in the source code. Might get some false > positives. Can be run without actually even building it. > > * Linking against the library which should actually be easy to detect > with ldd or other tools. Would need to build and then run the checks to > be sure. So for the 1st case we=E2=80=99d definitely need that property to tell =E2= =80=98lint=E2=80=99 that everything is known-good. =E2=80=98guix lint=E2=80=99 does very inexpensive tests, so unpacking the t= arball and grepping it would be beyond its scope. However, if we can provide the warning and people have a way to silence it, I guess we=E2=80=99re fine? Thanks, Ludo=E2=80=99.