Re: testssl.sh 3.0~rc5+dfsg1 in Debian

To: Samuel Henrique <samueloph@debian.org>
Cc: Debian Security Tools Packaging Team <debian-security-tools@lists.debian.org>
Subject: Re: testssl.sh 3.0~rc5+dfsg1 in Debian
From: Unit 193 <unit193@ubuntu.com>
Date: Tue, 5 Nov 2019 22:58:58 -0500 (EST)
Message-id: <[🔎] alpine.DEB.2.21.1911052246410.2000@Zeta>
In-reply-to: <[🔎] CABwkT9oErsntq9vmkC+9791MQ1w=enivC-1AZvByrF22sUWZ2A@mail.gmail.com>
References: <[🔎] alpine.DEB.2.21.1911010047560.2000@Zeta> <[🔎] CABwkT9oErsntq9vmkC+9791MQ1w=enivC-1AZvByrF22sUWZ2A@mail.gmail.com>

Howdy,

First off, thanks for your response!

On Tue, 5 Nov 2019, Samuel Henrique wrote:

Hello Unit,

      After looking into testssl.sh again, I noticed on the release page[0] it states
      that 2.9.5 won't be supported once 3.0 lands, and encourages distributors to
      pick up 3.0rc5.  I did some packaging work[1] to import the new version, refresh
      patches, and other minor things and it'd be cool if you could pull the changes.

      This version is specifically interesting as it has support for TLS 1.3.


I really appreciate your work, but version 3.0 of testssl has a licensing issue
that needs to be resolved before packaging it for Debian: upstream decided to add
a clause to their GPL license stating that any public use of it must mention where they've
got the program from. I'm worried as to how this relates to the DFSG, more specifically:
https://github.com/drwetter/testssl.sh/blob/3b89dc6b0a41299fbf462789998e4c103f4f0210/testssl.sh#L19-L22

Correct me if I'm wrong, but from what I'm reading, the section you point to isalready in Debian[0], and was actually there since the initial upload[1]? Therewas a minor wording change in 5257c2f3 but as I understand it one was alreadybound to the license anyway.

I *think* this is ok (didn't thought enough about it) but I feel like a discussion on debian-legal
would be better and I don't feel confident uploading this without it.

Did you notice that as well? What are you thoughts on it?

I'd think since the initial upload passed review, the wording change wouldn't beany cause for alarm since that's just about having to obey the license. But Iwould happily read any other opinions!

On a sidenote, if I remember correctly, testsssl suffers from the same issue as o-saft,
another ssl vuln detector, as it needs to have an old version of openssl to check for legacy
stuff, otherwise it won't support them.

Yeah, the tarballs bundle openssl with all options enabled, part of therepacking removes that. It loses the ability to detect some issues but stillcan be quite useful! I recently used this to check one of my other packageswhile testing a patch for WolfSSL support. It showed a hang with TLS 1.3whereas everything else worked.



[0]: https://sources.debian.org/src/testssl.sh/2.9.5-7+dfsg1-2/testssl.sh/#L22
[1]: https://salsa.debian.org/pkg-security-team/testssl.sh/blob/4b771208e63d86a094743b7b0c3994ef9f141646/testssl.sh#L21

~Unit 193
Unit193 @ OFTC
Unit193 @ freenode

Reply to:

Follow-Ups:
- Re: testssl.sh 3.0~rc5+dfsg1 in Debian
  - From: Samuel Henrique <samueloph@debian.org>

References:
- testssl.sh 3.0~rc5+dfsg1 in Debian
  - From: Unit 193 <unit193@ubuntu.com>
- Re: testssl.sh 3.0~rc5+dfsg1 in Debian
  - From: Samuel Henrique <samueloph@debian.org>

Prev by Date: tomb (2.7+dfsg2-1) ready for review and upload
Next by Date: Re: [request-for-help] o-saft maintenance and openssl
Previous by thread: Re: testssl.sh 3.0~rc5+dfsg1 in Debian
Next by thread: Re: testssl.sh 3.0~rc5+dfsg1 in Debian
Index(es):
- Date
- Thread