Your message dated Sun, 24 Feb 2019 20:47:16 +0000 with message-id <e1gy0g8-0000gk...@fasolo.debian.org> and subject line Bug#921488: fixed in mariadb-10.3 1:10.3.13-1 has caused the Debian Bug report #921488, regarding libmariadb3: OpenSSL license contamination of GPL reverse-dependencies to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 921488: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921488 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libmariadb3 Version: 1:10.3.12-2 Severity: serious Affects: w1retap Justification: renders many Debian packages undistributable Hello, It's come to my attention that in buster and unstable, packages which build-depend on default-libmysqlclient-dev wind up linked against libmariadb3, which in turn links against OpenSSL (libssl1.1). This includes software which is licensed under the GPL and uses the MySQL APIs. (Example: w1retap) It is well understood that the OpenSSL license is not "compatible" with the GPL (either version 2 or 3); and furthermore, Debian has long taken the position that, unless a license exception is granted by the copyright holders, a package which is distributed under the GPL must only link to libraries whose licenses are also GPL-compatible in order for it to be included in Debian. There is bug #787118 requesting that mariadb-server use OpenSSL instead of YaSSL; this bug is still open in the BTS despite the fact that mariadb does now link against OpenSSL. This bug also acknowledges the need for a license exception for MariaDB itself to ship linked against OpenSSL, but the license compatibility problem for reverse-dependencies of the client library seems to have been overlooked. I cannot find any discussion of the switch from yassl to openssl in the mariadb-10.3 changelog, so as near as I can see, there has been no explicit consideration of the licensing implications. I am opening this as a serious bug, since I believe this makes a large and indeterminate number of packages non-distributable in buster. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: mariadb-10.3 Source-Version: 1:10.3.13-1 We believe that the bug you reported is fixed in the latest version of mariadb-10.3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 921...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Otto Kekäläinen <o...@debian.org> (supplier of updated mariadb-10.3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 24 Feb 2019 21:14:15 +0200 Source: mariadb-10.3 Binary: libmariadb-dev libmariadbclient-dev libmariadb-dev-compat libmariadb3 libmariadbclient18 libmariadbd19 libmariadbd-dev mariadb-common mariadb-client-core-10.3 mariadb-client-10.3 mariadb-server-core-10.3 mariadb-server-10.3 mariadb-server mariadb-client mariadb-backup mariadb-plugin-connect mariadb-plugin-rocksdb mariadb-plugin-oqgraph mariadb-plugin-tokudb mariadb-plugin-mroonga mariadb-plugin-spider mariadb-plugin-gssapi-server mariadb-plugin-gssapi-client mariadb-plugin-cracklib-password-check mariadb-test mariadb-test-data Architecture: source Version: 1:10.3.13-1 Distribution: unstable Urgency: medium Maintainer: Debian MySQL Maintainers <pkg-mysql-ma...@lists.alioth.debian.org> Changed-By: Otto Kekäläinen <o...@debian.org> Description: libmariadb-dev - MariaDB database development files libmariadb-dev-compat - MariaDB Connector/C, compatibility symlinks libmariadb3 - MariaDB database client library libmariadbclient-dev - MariaDB database development files (transitional package) libmariadbclient18 - Virtual package to satisfy external libmariadbclient18 depends libmariadbd-dev - MariaDB embedded database, development files libmariadbd19 - MariaDB embedded database, shared library mariadb-backup - Backup tool for MariaDB server mariadb-client - MariaDB database client (metapackage depending on the latest vers mariadb-client-10.3 - MariaDB database client binaries mariadb-client-core-10.3 - MariaDB database core client binaries mariadb-common - MariaDB common metapackage mariadb-plugin-connect - Connect storage engine for MariaDB mariadb-plugin-cracklib-password-check - CrackLib Password Validation Plugin for MariaDB mariadb-plugin-gssapi-client - GSSAPI authentication plugin for MariaDB client mariadb-plugin-gssapi-server - GSSAPI authentication plugin for MariaDB server mariadb-plugin-mroonga - Mroonga storage engine for MariaDB mariadb-plugin-oqgraph - OQGraph storage engine for MariaDB mariadb-plugin-rocksdb - RocksDB storage engine for MariaDB mariadb-plugin-spider - Spider storage engine for MariaDB mariadb-plugin-tokudb - TokuDB storage engine for MariaDB mariadb-server - MariaDB database server (metapackage depending on the latest vers mariadb-server-10.3 - MariaDB database server binaries mariadb-server-core-10.3 - MariaDB database core server files mariadb-test - MariaDB database regression test suite mariadb-test-data - MariaDB database regression test suite - data files Closes: 917135 920364 920415 920933 921488 Changes: mariadb-10.3 (1:10.3.13-1) unstable; urgency=medium . * New upstream version 10.3.13 * Includes fixes for the following security vulnerabilities (Closes: #920933): - CVE-2019-2537 - CVE-2019-2529 * Update symbols list to match latest MariaDB Connector C release * Use bundled SSL libraries instead of system OpenSSL (Closes: #921488) * Fix 'Multi-Arch: same' stanzas (Closes: #920364) * Implement proper version detection in maintainer scripts (Closes: #920415) * Make libmariadb-dev depend on libgnutls28-dev (Closes: #917135) * Extend Gitlab-CI significantly and update READMEs Checksums-Sha1: 8fe83d469aed15dc448502bebc3f61fee4e03201 4766 mariadb-10.3_10.3.13-1.dsc 08467885412184e99b835732913d445fd2c4b1b3 70745600 mariadb-10.3_10.3.13.orig.tar.gz e5d365f44e75a03cd382a6004d9c4385e1e5b459 181 mariadb-10.3_10.3.13.orig.tar.gz.asc cc308cb27afc7bb3b6a19b8e2be0b20392e491e1 268236 mariadb-10.3_10.3.13-1.debian.tar.xz bf2d2c47354ec3db6f29cf88167cbaf4edcb3b44 9089 mariadb-10.3_10.3.13-1_source.buildinfo Checksums-Sha256: 857b5fbd8adebe11b4db558c822e0c63dec4ddcc6e227da2f7ae504eece0eb29 4766 mariadb-10.3_10.3.13-1.dsc b2aa857ef5b84f85a7ea60a1eac7b34c0ca5151c71a0d44ce2d7fb028d71459a 70745600 mariadb-10.3_10.3.13.orig.tar.gz 8199c26ef1aeb0bfed5341e6730c2c395d5d7c71abdf716868b6a28c931de21a 181 mariadb-10.3_10.3.13.orig.tar.gz.asc dab3501875ddaff5e5665a9df8201202fd78eb3cccff79b3d2e59ac345d4e38c 268236 mariadb-10.3_10.3.13-1.debian.tar.xz fe426f10bc7c9ae6484818a3e497e39846f2af4a2ffb404ca496b6a04e355754 9089 mariadb-10.3_10.3.13-1_source.buildinfo Files: c649607fe5f3d09b317019c8f35a9b81 4766 database optional mariadb-10.3_10.3.13-1.dsc 603ce42e35b9a688f2cca05275acb5cb 70745600 database optional mariadb-10.3_10.3.13.orig.tar.gz 711a93599eb0a335d7d997906c397163 181 database optional mariadb-10.3_10.3.13.orig.tar.gz.asc c3c7c0e7df0b38a6b233b7cb2f47cc75 268236 database optional mariadb-10.3_10.3.13-1.debian.tar.xz 6602294742b14ceb6f7d6081b32aa44c 9089 database optional mariadb-10.3_10.3.13-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmbRSsR88dMO0U+RvvthEn87o2ogFAlxy8cAACgkQvthEn87o 2oiVGw/8C4xduFUZQml1QzqqwBnMgB+jafDmOXDs2QMgH61zG+20LfrO3Dhk7HyZ aXMY0C/0+AaG4DAdxApXXuazE3LMKrTAiE9NdgqpaEgg9AiJaFDRbnstJbQ1JbUz pPWBI55kwSnc7338ySwQoF1HrvcVuMlXLaKrHpoG6o065y8x7HpH6j8VnRtgKgNW LoFeA6+o6E+K44OqfbzkIm67CSdSCuhcJlFA65vdESCrVtDTKCB1eoUFB8X85LqC sxKptB1mxJ/8gk2UUL9nYzcKtd8ljnlbB0kEkPtZsY/4HOQlqMhV7pQZWw58ui+B t4YFL9+FB/vAmZc3qvmgati31OvWLa+Bb9UWZQv1oiUyjAwp2tzzX2FFOqoQQZ6A 5grRCat/rz0i4hA+TfbDF8c3ZPslFiVPi2JGrkg1TmCOp2uXgvrCdH6YUpBngxXb BIP6VH6SptekFUecSCGkfAJdsetMIgPeKXeqyCgaSC6KeX5jvbT6Dov1T6EwvcMu TT8JJBBTCf0pbIxY0isSqSlomgtzq3H+hpy1Hv4KNQdaXSKCYxVlE51b/X8AApHV JRwQN2GBycaprKHBNBU7zFO2MwpAFaLpRy47KfsyHw9IvqKsEbyO1yWbnA7nWZGk JvWfiNHnUbRhtcepPcgT26YR8znPtnXqSEkXTN0IK3DxrIhmkcg= =3whU -----END PGP SIGNATURE-----
--- End Message ---
