Package: pinot Version: 1.05-1.1+b1 Severity: serious Justification: Policy 2.2.1
Bad news everyone - pinot links libxapian (which is GPLv2+) and openssl
(which has a GPLv2+-incompatible advertising clause in its licence) into
the same binary:
$ ldd /usr/lib/pinot/backends/libxapianbackend.so|grep 'xapian\|ssl'
libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
(0x00007f079530e000)
libxapian.so.22 => /usr/lib/x86_64-linux-gnu/libxapian.so.22
(0x00007f0794aa6000)
$ dpkg -S /usr/lib/pinot/backends/libxapianbackend.so
pinot: /usr/lib/pinot/backends/libxapianbackend.so
I'm part of Xapian upstream, and with that hat on I can say we aren't
able to add an exception clause to the licence as there are copyright
holders who aren't interested in relicensing.
In the long term we're hoping to eliminate the non-relicensable code
from libxapian and release it under a more liberal licence, but that's
not imminent - a shorter-term way to resolve this for pinot in Debian is
needed.
It looks to me like you can probably build-depend on libcurl4-gnutls-dev
or libcurl4-nss-dev instead of libcurl4-openssl-dev (and drop
libssl-dev) except that the upstream configure script thinks it needs
openssl if `curl-config --features|grep -i SSL` is non-empty.
Cheers,
Olly
signature.asc
Description: PGP signature
