Re: Depenency Bugs in Debian Packages (long)

To: debian-devel@lists.debian.org
Subject: Re: Depenency Bugs in Debian Packages (long)
From: Bdale Garbee <bdale@gag.com>
Date: Tue, 10 Aug 1999 10:16:13 -0600
Message-id: <[🔎] 199908101616.KAA02188@chunks.gag.com>
In-reply-to: <[🔎] yttso5s8u9g.fsf@gilgamesh.cse.ucsc.edu>

In article <[🔎] yttso5s8u9g.fsf@gilgamesh.cse.ucsc.edu> you wrote:

I apologize to the group for the "get over it" snipe in my last email.  That
was unnecessarily rude, but I'm getting annoyed by the repeated suggestions
that I'm doing something evil by taking BIND out of main.  I'm not the
upstream maintainer, and the license issue is an upstream source issue!  I'd
love nothing better than to leave BIND in main, if I could...

> Can you keep the old BIND in Debian as 'bind-classic'?

I've talked about this with several other folks who are serious domain admins,
and it seems like a really bad idea.  Keeping bits that aren't being worked
on upstream alive just for this is almost guaranteed to cause a security 
problem at some point in the future.  The whole point of the DNSSEC code in
BIND is that it's too easy to do nasty things to DNS, and new technology is
needed to "up the ante".

It is unfortunate that a) the BIND maintainers chose to be satisfied with a
license for the RSA-contributed library that is not *quite* DFSG-compliant, 
and b) that the BIND 8.2.X sources do not make it easy to optionally include 
or exclude the DNSSEC functionality.  I hear rumors that both issues are being
looked at by various folks... but until there's code, it's just rumors.

I personally do not have the time, or the inclination to engage in substantial
hacking of the BIND sourcecode.  I also have no interest in continuing to 
work with the 8.1.2 sources.  Therefore, the only remaining option I see is 
to move the BIND packages to non-free.  I freely admit that my personal angst
over the issue is partly to blame for it taking so long to finish the 8.2.1 
packages.

LaMont and I have exchanged email with the key BIND developers about this
situation, and while they regret not being DFSG-compliant, I didn't get the
sense that they were concerned enough to do anything about it.  The library
in question is freely available for use by anyone... but only for use in BIND.

If someone cares enough about this to want to whack on the sources to make it
possible to build bind-lame (main) and bind-full (non-free) packages, then I'm
sure we could help get the patches accepted by the upstream maintainers.  I
would also be happy to hand over the Debian BIND package to someone else if
there is some sense that I'm being unnecessarily pig-headed about this (which
email in the last day to me directly has sort of implied, to my distress).  
In the meantime, I hope to finish and upload BIND 8.2.1 packages later this 
week... into non-free.

Bdale

Reply to:

Follow-Ups:
- Re: Depenency Bugs in Debian Packages (long)
  - From: Jason Gunthorpe <jgg@ualberta.ca>

References:
- Re: Depenency Bugs in Debian Packages (long)
  - From: Ben Gertzfield <che@debian.org>

Prev by Date: Mozilla M8 startup issues (was RE: Request for Mozilla Testers)
Next by Date: Re: Depenency Bugs in Debian Packages (long)
Previous by thread: Re: Depenency Bugs in Debian Packages (long)
Next by thread: Re: Depenency Bugs in Debian Packages (long)
Index(es):
- Date
- Thread