Expressing the need for Apache-v2.0-licensed OpenSSL in apt-listbugs

To: debian-ruby@lists.debian.org
Subject: Expressing the need for Apache-v2.0-licensed OpenSSL in apt-listbugs
From: Francesco Poli <invernomuto@paranoici.org>
Date: Wed, 1 Nov 2023 16:34:15 +0100
Message-id: <[🔎] 20231101163415.13f99c5179bec7e427556269@paranoici.org>

Hello!

As many of you already know, I am the maintainer of apt-listbugs.
I wanted to address bug [792639].

[792639]: <https://bugs.debian.org/792639>

Brief summary: apt-listbugs queries the Debian BTS through its SOAP
interface at an http URL.
Bug [792639] is a feature request: apt-listbugs should by default
interact with the BTS at an https URL, in order to have encrypted
communication (to enhance privacy).
When the wishlist bug report was filed, OpenSSL was GPL-incompatible
and this became a showstopper, since apt-listbugs and several
dependencies are GPL-licensed with no OpenSSL exceptions: using https
causes ruby-soap4r to load 'net/https', thus causing libruby to load
'openssl'.
This is no longer an issue, since OpenSSL version 3.x.y is
Apache-v2.0-licensed and thus GPL-v3-compatible. OpenSSL version 3.x.y
is currently in Debian unstable, testing, and stable.

Hence the current [status] is that I need to finish sorting out the
licensing of indirect dependencies with GPL-v2-only parts (I am almost
there) and I need to figure out how to express the incompatibility with
pre-v3.x.y versions of OpenSSL.

[status]: <https://bugs.debian.org/792639#113>

I am seeking suggestions on this last point.

How can package apt-listbugs express the fact that it cannot be used
(for license incompatibility reasons) with a libruby that links with an
old libssl (which is not Apache-v2.0-licensed)?

If apt-listbugs directly depended on libssl, a versioned dependency
could be OK (something like ">= 3.0.0-1", I think).
But the point is that apt-listbugs does not directly depend on libssl.
A while ago I thought to add a

  Depends: ruby3.0 (>= 3.0.4-7+b1)

or a

  Depends: libruby3.0 (>= 3.0.4-7+b1)

but it does not seem to be the Right Thing™ to do, because the actual
dependency is only indirect. Also, those packages no longer
exist: now there are ruby3.1 and libruby3.1 ...
Mechanisms like

  Depends: ${shlibs:Depends}

do not look appropriate, since, as I said, the dependency is only
indirect.

Maybe the correct way to express the incompatibility is:

  Breaks: libruby (<< 1:3.1)

What do you think about this?


Please Cc me on replies, I am not subscribed the list.
Thanks!

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Attachment: pgp9lu_qhAYLL.pgp
Description: PGP signature

Reply to:

Next by Date: Re: [RFS] ruby-activerecord-import 1.5.0-1
Next by thread: Re: [RFS] ruby-activerecord-import 1.5.0-1
Index(es):
- Date
- Thread