On Fri, Jan 28, 2005 at 08:17:18PM +0100, Andreas Metzler wrote: > On 2005-01-28 sean finney <seanius@debian.org> wrote: > > On Fri, Jan 28, 2005 at 04:36:05PM +0100, Andreas Metzler wrote: > > > On Fri, Jan 28, 2005 at 05:03:26AM -0800, Steve Langasek wrote: > > > [...] > > > > Over the past six months, the situation has changed > > > > significantly. The mysql maintainer, mysql upstream, and others > > > > have admirably worked through the license issues to get a > > > > license exception that meets the needs of the software that > > > > Debian distributes. You can find the current version of this > > > > license exception at [1]. > > > At a short glance this still seems to be missing a OpenSSL exception. > > > - Has this been resolved? > > no, afaik the openssl-related code in debian mysql-foo is disabled[1]. > [...] > This seems to break the whole plan. A nontrivial number of packages > need to link against libmysqlclient* _and_ libssl. If libmysql12's > license does not allow that, we are screwed. > ametzler@downhill:~$ grep-available -FDepends libmysqlclient10 | grep-dctrl -FDepends -sPackage -n libssl > perdition-mysql > dovecot-common > caudium-php4 > sqlrelay-mysql > motion > pure-ftpd-mysql > proftpd-mysql > gnugk Of these packages, the only one that was on the list of packages that need to transition together is caudium-php4. The php4 source package is also due for a reorg to enable ZTS, which will remove the need for statically building the mysql extension into this package; if we need to make this change at the same time as the mysql transition, then so be it. The only other package in your list that was mentioned at all in my email is dovecot-common, which is only loosely coupled with the others as a result of libpam/nss-mysql and libsasl2-modules-sql. > And these are just direct linkages against both libraries, there's > also a lot of bar depends on both libmysqlclient10 and libbar and > libbar itself links against libssl. - I never remember whether we > actually (have to) respect indirect linkage like that license-wise but > judging from cadaver I guess we do. This affects the PHP packages, since all the SAPI alternatives that php4-mysql can use currently link against libssl. I'll need to investigate more to see if we can get away from this; even if it means dropping the PHP OpenSSL extension, I think it's probably still a good trade. It also seems to affect libapache2-mod-auth-mysql, since apache2 includes https support by default. I don't see any way to fix this one. I don't see any other packages in the list that are likely to have this problem, although I haven't traced the dependencies to be sure. That leaves us with several choices: - ignore libapache2-mod-auth-mysql for the transition, and hope the actual incidence of segfaults from intersecting libraries is low. - push symbol versioning into libmysqlclient10 and libmysqlclient12, and break up the transition - cajole upstream into adding OpenSSL to the list of license exceptions - ship sarge with a broken myodbc package Of course, I would in any case delay the transition until we can decide on a way forward from here. Comments? -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature