Hello! As many of you already know, I am the maintainer of apt-listbugs. I wanted to address bug [792639]. [792639]: <https://bugs.debian.org/792639> Brief summary: apt-listbugs queries the Debian BTS through its SOAP interface at an http URL. Bug [792639] is a feature request: apt-listbugs should by default interact with the BTS at an https URL, in order to have encrypted communication (to enhance privacy). When the wishlist bug report was filed, OpenSSL was GPL-incompatible and this became a showstopper, since apt-listbugs and several dependencies are GPL-licensed with no OpenSSL exceptions: using https causes ruby-soap4r to load 'net/https', thus causing libruby to load 'openssl'. This is no longer an issue, since OpenSSL version 3.x.y is Apache-v2.0-licensed and thus GPL-v3-compatible. OpenSSL version 3.x.y is currently in Debian unstable, testing, and stable. Hence the current [status] is that I need to finish sorting out the licensing of indirect dependencies with GPL-v2-only parts (I am almost there) and I need to figure out how to express the incompatibility with pre-v3.x.y versions of OpenSSL. [status]: <https://bugs.debian.org/792639#113> I am seeking suggestions on this last point. How can package apt-listbugs express the fact that it cannot be used (for license incompatibility reasons) with a libruby that links with an old libssl (which is not Apache-v2.0-licensed)? If apt-listbugs directly depended on libssl, a versioned dependency could be OK (something like ">= 3.0.0-1", I think). But the point is that apt-listbugs does not directly depend on libssl. A while ago I thought to add a Depends: ruby3.0 (>= 3.0.4-7+b1) or a Depends: libruby3.0 (>= 3.0.4-7+b1) but it does not seem to be the Right Thing™ to do, because the actual dependency is only indirect. Also, those packages no longer exist: now there are ruby3.1 and libruby3.1 ... Mechanisms like Depends: ${shlibs:Depends} do not look appropriate, since, as I said, the dependency is only indirect. Maybe the correct way to express the incompatibility is: Breaks: libruby (<< 1:3.1) What do you think about this? Please Cc me on replies, I am not subscribed the list. Thanks! -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
Attachment:
pgp9lu_qhAYLL.pgp
Description: PGP signature