[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: eleventh-hour transition for mysql-using packages related to apache

On Fri, Jan 28, 2005 at 08:17:18PM +0100, Andreas Metzler wrote:
> On 2005-01-28 sean finney <seanius@debian.org> wrote:
> > On Fri, Jan 28, 2005 at 04:36:05PM +0100, Andreas Metzler wrote:
> > > On Fri, Jan 28, 2005 at 05:03:26AM -0800, Steve Langasek wrote:
> > > [...] 
> > > > Over the past six months, the situation has changed
> > > > significantly.  The mysql maintainer, mysql upstream, and others
> > > > have admirably worked through the license issues to get a
> > > > license exception that meets the needs of the software that
> > > > Debian distributes.  You can find the current version of this
> > > > license exception at [1].

> > > At a short glance this still seems to be missing a OpenSSL exception.
> > > - Has this been resolved?

> > no, afaik the openssl-related code in debian mysql-foo is disabled[1].
> [...]

> This seems to break the whole plan. A nontrivial number of packages
> need to link against libmysqlclient* _and_ libssl. If libmysql12's
> license does not allow that, we are screwed.

> ametzler@downhill:~$ grep-available -FDepends libmysqlclient10 | grep-dctrl  -FDepends  -sPackage -n libssl
> perdition-mysql
> dovecot-common
> caudium-php4
> sqlrelay-mysql
> motion
> pure-ftpd-mysql
> proftpd-mysql
> gnugk

Of these packages, the only one that was on the list of packages that need
to transition together is caudium-php4.  The php4 source package is also due
for a reorg to enable ZTS, which will remove the need for statically
building the mysql extension into this package; if we need to make this
change at the same time as the mysql transition, then so be it.

The only other package in your list that was mentioned at all in my email
is dovecot-common, which is only loosely coupled with the others as a result
of libpam/nss-mysql and libsasl2-modules-sql.

> And these are just direct linkages against both libraries, there's
> also a lot of bar depends on both libmysqlclient10 and libbar and
> libbar itself links against libssl. - I never remember whether we
> actually (have to) respect indirect linkage like that license-wise but
> judging from cadaver I guess we do.

This affects the PHP packages, since all the SAPI alternatives that
php4-mysql can use currently link against libssl.  I'll need to investigate
more to see if we can get away from this; even if it means dropping the PHP
OpenSSL extension, I think it's probably still a good trade.

It also seems to affect libapache2-mod-auth-mysql, since apache2 includes
https support by default.  I don't see any way to fix this one.

I don't see any other packages in the list that are likely to have this
problem, although I haven't traced the dependencies to be sure.

That leaves us with several choices:

- ignore libapache2-mod-auth-mysql for the transition, and hope the actual
  incidence of segfaults from intersecting libraries is low.
- push symbol versioning into libmysqlclient10 and libmysqlclient12, and
  break up the transition
- cajole upstream into adding OpenSSL to the list of license exceptions
- ship sarge with a broken myodbc package

Of course, I would in any case delay the transition until we can decide on a
way forward from here.


Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: