Bug#635974: pu: package win32-loader/0.6.21

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#635974: pu: package win32-loader/0.6.21
From: Didier Raboud <odyx@debian.org>
Date: Fri, 29 Jul 2011 23:54:26 +0200
Message-id: <[🔎] 20110729215425.16080.44040.reportbug@Tamino>
Reply-to: Didier Raboud <odyx@debian.org>, 635974@bugs.debian.org

Package: release.debian.org
Severity: important
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Stable Release Managers, 

As I discussed today with Adam Barratt and Mark Hymers at DC11, I discovered
that the current version of win32-loader as shipped in stable might actually
violate the GPL: both the CD version (as shipped in the win32-loader binary
package) and the "standalone" version (as [wrongly] shipped directly on the
mirrors [0]) ship binary files from:

	- grub-pc (g2ldr, g2ldr.mbr)
	- loadlin (loadlin.exe)
	- cpio-win32 (cpio.exe)
	- gzip-win32 (gzip.exe)

There are two problems with the current state:

a) win32-loader 0.6.21 was uploaded (hence built) on 2010-12-09. At that time,
those packages were in given versions but stable was released with other
versions. The following array tries to demonstrate the problem:

Name    | Version at upload time | Version in stable | Status
-------------------------------------------------------------
grub2   | 1.98+20100804-10       | 1.98+20100804-14  - KO
loadlin | 1.6e-1                 | 1.6e-1            - OK
cpio    | 2.11-5                 | 2.11-4            - KO
gzip    | 1.3.12-9               | 1.3.12-9          - OK

So at least two embedded binaries cannot be rebuilt using sources from stable.

b) #616324: This bug is about a weird archive behaviour, somehow fixed since
then, about the three "suites" being equal binaries. The current problem of
this is that the version shipped in tools/win32-loader/stable/win32-loader.exe
is actually _not_ 0.6.21, but 0.6.22 (you can see this by running it in wine,
which is harmless).

So in order to fix this, my plan is to upload a win32-loader 0.6.21+squeeze0
to stable(-proposed-update) that would include the following changes: 

- add a Built-Using field in the binary package (to track GPL-compliance)
- add the "byhand" code, backported from current unstable (to push the
  standalone version to the archive)
- document versions and pointers to sources in the pool/ directories (to
  enhance documentation)

A proposed source, debdiff and built package is there:

http://alioth.debian.org/~odyx-guest/packages/win32-loader/

What do you think ?

By the way, I will make sure an upload of win32-loader to unstable happens
soon™ with all these changes (I'll have to find a sponsor as I'm at DC11
and my smartcard with my GPG subkey broke).

Cheers, 

OdyX

[0] http://ftp.debian.org/debian/tools/win32-loader/stable/win32-loader.exe

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply to:

Prev by Date: Bug#633460: pu: package freebsd-utils/8.1-4+squeeze1
Next by Date: Processed: affects 635974
Previous by thread: Re: binNMUs for gtk+2.0 / pango1.0 multiarch changes / la file removal
Next by thread: Processed: affects 635974
Index(es):
- Date
- Thread