Bug#635974: pu: package win32-loader/0.6.21
Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Stable Release Managers,
As I discussed today with Adam Barratt and Mark Hymers at DC11, I discovered
that the current version of win32-loader as shipped in stable might actually
violate the GPL: both the CD version (as shipped in the win32-loader binary
package) and the "standalone" version (as [wrongly] shipped directly on the
mirrors [0]) ship binary files from:
- grub-pc (g2ldr, g2ldr.mbr)
- loadlin (loadlin.exe)
- cpio-win32 (cpio.exe)
- gzip-win32 (gzip.exe)
There are two problems with the current state:
a) win32-loader 0.6.21 was uploaded (hence built) on 2010-12-09. At that time,
those packages were in given versions but stable was released with other
versions. The following array tries to demonstrate the problem:
Name | Version at upload time | Version in stable | Status
-------------------------------------------------------------
grub2 | 1.98+20100804-10 | 1.98+20100804-14 - KO
loadlin | 1.6e-1 | 1.6e-1 - OK
cpio | 2.11-5 | 2.11-4 - KO
gzip | 1.3.12-9 | 1.3.12-9 - OK
So at least two embedded binaries cannot be rebuilt using sources from stable.
b) #616324: This bug is about a weird archive behaviour, somehow fixed since
then, about the three "suites" being equal binaries. The current problem of
this is that the version shipped in tools/win32-loader/stable/win32-loader.exe
is actually _not_ 0.6.21, but 0.6.22 (you can see this by running it in wine,
which is harmless).
So in order to fix this, my plan is to upload a win32-loader 0.6.21+squeeze0
to stable(-proposed-update) that would include the following changes:
- add a Built-Using field in the binary package (to track GPL-compliance)
- add the "byhand" code, backported from current unstable (to push the
standalone version to the archive)
- document versions and pointers to sources in the pool/ directories (to
enhance documentation)
A proposed source, debdiff and built package is there:
http://alioth.debian.org/~odyx-guest/packages/win32-loader/
What do you think ?
By the way, I will make sure an upload of win32-loader to unstable happens
soon™ with all these changes (I'll have to find a sponsor as I'm at DC11
and my smartcard with my GPG subkey broke).
Cheers,
OdyX
[0] http://ftp.debian.org/debian/tools/win32-loader/stable/win32-loader.exe
-- System Information:
Debian Release: wheezy/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: