Re: GPL-licensed software linked against libssl on buildds!
Fabian Greffrath <fabian@greffrath.com> writes:
> it seems that some buildds occasionally have libssl-dev installed in
> their chroot. A friend of mine has found out that the netatalk package
> depends on libssl0.9.8 [sparc] in sid and [hppa, mipsel] in squeeze.
> Other architectures are not affected. For GPL-licensed software like
> netatalk this is IMHO to be considered a license violation and thus RC!
> If you have a look at the build logs on e.g. sparc, you will see that
> indeed the configure script detects an OpenSSL installation and builds
> the package against it:
> <https://buildd.debian.org/fetch.cgi?pkg=netatalk;ver=2.0.5-2;arch=sparc;stamp=1259628740>
> This doesn't happen on other archs:
> <https://buildd.debian.org/pkg.cgi?pkg=netatalk>
> I guess the buildds for the affected archs need their chroots cleaned up
> and netatalk needs bin-NMUs scheduled, right?
This is a bug in the netatalk Debian packaging. You cannot assume the
package will be built in a clean chroot; among other things, the buildd
software explicitly does not guarantee that all packages will be removed.
The packaging needs to prevent the package from being linked with OpenSSL
if that's what the resulting binary packages are supposed to be like, even
if OpenSSL is installed.
If the changes to the packaging are too invasive to do the right thing no
matter what's installed, you can add a Build-Conflicts.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: