On Thu, Jul 04, 2024 at 12:23:11AM +0200, Bastian Germann wrote: > Am 03.07.24 um 23:56 schrieb Benjamin Kaduk: > > On Wed, Jul 03, 2024 at 11:27:50PM +0200, Bastian Germann wrote: > > > Am 03.07.24 um 05:23 schrieb Benjamin Kaduk: > > > > I do not see how it would be possible to replace this code in Debian > > > > before > > > > upstream can do so; this code is a core part of the functionality of the > > > > software and the files cannot be relicensed without the permission of > > > > all > > > > copyright holders. > > > > > > Upstream supports more OS than only Linux and most of the changes are > > > portability changes. Trying a compile with the files replaced won't hurt. > > > > I think it would hurt; some of the chnages relate to security fixes, among > > other things. > > Can you point to a specific security fix that is not included in glibc or > FreeBSD? > I would like to report it to them in that case.
https://github.com/openafs/openafs/commit/a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6 is the one I found first that is of clear security relevance to openafs (I did not attempt an exhaustive search). That said, I have to say "of security relevance to openafs" because it relates to how the overall application handles large/unexpected RPC input arguments, and the right way to address that class of issue is likely to depend on the particular application in question. This particular fix is suitable for openafs but is not necessarily suitable for all consumers of a generic rpcgen. > > > > I am also a bit confused at why you chose to file this as severity: > > > > serious > > > > -- could you please clarify what part of policy is being violated or > > > > how it > > > > makes the package unsuitable for release? > > > > > > Assuming the license is non-free (which some people may doubt but this > > > seems > > > to be established in Debian) the package violates Policy ยง2.2.1 "Every > > > package > > > in main must comply with the DFSG" > > > > Do you have any links handy for "this seems to be established in Debian"? > > Maybe a statement from ftpmaster? > > There is a bug waiting for a statement from ftpmaster: #1072165. Sounds like we might want to add this bug to the 'blocks' list for that one, then? > > Starting from scratch I'm only finding > > https://lists.debian.org/debian-legal/2003/08/msg00667.html from 2003 (and > > the corresponding bug, > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=181493), neither of which > > really ends with a resounding conclusion, and which are quite old. > > The conclusion of bug #181493 was upstream's relicensing of the code. Right, which is not much of a conclusion on whether or not the license is non-free; it is just side-stepping the question. -Ben
