Re: libidn re-license

[Simon Josefsson <simon@josefsson.org>]

Florian Weimer <fw@deneb.enyo.de> writes:

> * Simon Josefsson:
>
>> I co-maintain the libidn package.  As upstream, I recently relicensed it
>> from LGPLv2+ to GPLv2+|LGPLv3+.  I'd like to upload the latest version
>> into Debian before Wheezy since a pretty nasty inifinte-loop bug has
>> been fixed.
>
> Should we get that into stable-security, under the old license?

It wouldn't hurt, but I'm also not sure if it is worth the work.  If any
significant application triggered this particular code path, people
should have noticed the problem a long time ago.  It is at worst an
easily diagnozed DoS causing the library to busy-loop forever.  All the
pr29_* functions are affected, but they don't appear to be widely used.

>> (GPLv2-only and LGPLv3+ are incompatible.)
>
> Nowadays, almost all GPLv2-only programs link to library code licensed
> under the GPLv3 (with a linking exception on the library side), so we
> pretend that they are, at least to some degree.

How does that link exception look like?  I only recall seeing
suggestions to use the dual-GPLv2+|LGPLv3+ approach as a workaround
before.

/Simon