First, I've downgraded the severity on this to "important". We are
currently in a freeze with a release imminent. Removing pidgin from the
next Debian release is a significant step that we should not undertake
lightly. The issue at hand has existed for years, possibly a decade or
even two, without complaints, so I think we can afford some time here.
Second, looking at #996892, Philipp Hahn already made some points about
what is and isn't an advertising clause. There is no
"BSD-3-Clause-Attribution" license in the copyright file that I can see.
Please identify specifically which license(s) you are talking about,
using names as they appear in the copyright file for the cyrus-sasl2
package.
Third, if a system-library exemption is reasonable (or even possible),
then there isn't actually an incompatibility in the first place.
On 2023-05-15 12:32, Bastian Germann wrote:
Package: libpurple0
Version: 2.14.12-1
Severity: serious
Hi,
libirc.so and libjabber.so.0.0.0 depend on libsasl2-2, which is licensed
under CMU's BSD-3-Clause-Attribution license and covered by the RSA-MD
license. They have clauses in place, which are known to be incompatible
with GPL-2+ (as far as I can see the mentioned libraries' license).
There are several possible solutions to this problem:
1) Build with --disable-cyrus-sasl configuration and get rid of the
libsasl2 (Build-)Dependencies.
Then users lose SASL support, which is not great.
2) Support my request at #996892.
If we are going to treat OpenSSL as a system library, then I think
cyrus-sasl is a reasonable contender for the same treatment.
3) Ask upstream to add a license exception for libsasl2-2, similar to
the one that was required by Debian for OpenSSL for a long time.
3 is not viable due to too many copyright holders.
4) Pidgin could switch SASL implementations. This will be happening for
Pidgin 3 anyway.
Are the problems just limited to MD5? If so:
5) Replace the MD5 implementation in Cyrus SASL with a different one.
6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code.
7) Cyrus SASL just drops MD5. (That might actually be reasonable
post-bookworm.)
--
Richard
