Recent changes to bugs

#21 docsis build depends on lin

Lisandro D. N. Pérez Meyer — Sun, 02 Jun 2013 14:02:05 -0000

Link to my post to debian-legal: http://lists.debian.org/debian-legal/2013/06/msg00001.html

#21 docsis build depends on lin

Lisandro D. N. Pérez Meyer — Sun, 02 Jun 2013 14:01:16 -0000

Yes, but what CRYPTOGRAPHY does docsis use via libsnmp?

IANAL, but as far as I understand, it doesn't needs to use it, just link. The problem here is that there is a library in the middle which is using libopenssl. According to some people this situation will require an OpenSSL exception, according to some others, not.

I have just sent a mail to debian-legal (will post link as soon as I have it) to ask them for their advice on the situation.

I'm sure this is not the only software which got involved in this change, so we will need to see what happens.

#21 docsis build depends on lin

Richard Laager — Sun, 02 Jun 2013 04:40:35 -0000

status: open --> pending

#21 docsis build depends on lin

Eduardo Ferro Aldama — Fri, 31 May 2013 08:47:09 -0000

Hi!

Some time ago, I ask the original author, Cornel Ciocirlan, for change the license to the gpl with the openssl exception, and he answer ok to the change, but he forgot to change the license... and after that it was impossible to me to contact with him to confirm the license change...

So I only have a "verbal" approval :(

By the way, docsis don't use ssl encription, but use libsnmp that is linked with openssl for implement snmp v3 protocol... that docsis don't use...

#21 docsis build depends on lin

Richard Laager — Fri, 31 May 2013 06:01:52 -0000

Yes, but what CRYPTOGRAPHY does docsis use via libsnmp?

#21 docsis build depends on lin

Lisandro D. N. Pérez Meyer — Fri, 31 May 2013 01:17:27 -0000

Is docsis one of those applications?

yes, it links to libsnmp which in turn links to libopenssl

what about providing a second binary of libsnmp that does not
have the SSL functionality?

It will not happen :(

#21 docsis build depends on lin

Richard Laager — Fri, 31 May 2013 00:32:15 -0000

Is docsis one of those applications? I can't think of how it would be, but I'm not an expert, I'm really just slightly maintaining a more-or-less abandoned package. If not, what about providing a second binary of libsnmp that does not have the SSL functionality?

#21 docsis build depends on lin

Lisandro D. N. Pérez Meyer — Fri, 31 May 2013 00:25:35 -0000

The last version of libsnmp has added a direct link to -lcrypto, triggering the error in lintian (the app that does static analysis of Debian packages).

But libsnmp had already depended on libssl :-/

Yes, there are applications that depend on this behaviour. No, I really doubt we will see a libsnmp without OpenSSL or linked against GNUTLS :-(

#21 docsis build depends on lin

Richard Laager — Fri, 31 May 2013 00:09:28 -0000

Why does libsnmp link to OpenSSL? Are there applications in Debian which depend on that behavior? If not, obviously eliminating that linkage entirely is the simplest answer. Assuming there are users of it, would it be possible to have the libsnmp source package be compiled a second time without that linkage to create a libsnmp-nossl binary package which docsis could use.

If so, isn't this academic? If docsis could be compiled against a libsnmp that doesn't use OpenSSL and work perfectly fine, then how do we have a problem?

Alternatively, could libsnmp link against GnuTLS? I think it has some level of OpenSSL source-compatbility (e.g. a porting layer).

#21 docsis build depends on lin

Lisandro D. N. Pérez Meyer — Tue, 28 May 2013 16:18:06 -0000

By the way, this change is needed to keep docsis in Debian :-/