Hi Ulrike and Cecylia,
Thank you for looking at this!
To sum up the concerns that came from looking at it last time:If I understand correctly from a quick look, Yawning distributes his changes under GNU GPL, while uTLS upstream has a BSD 3-Clause license [https://github.com/refraction-networking/utls/blob/master/LICENSE]. The BSD 3-Clause is in line with the Debian Free Software Guidelines (DFSG)[https://wiki.debian.org/DFSGLicenses#The_BSD-3-clause_License]. From my understanding, in Debian packaging, licenses generally apply to files but it also seems possible (I never encountered such a case) to have several licenses for one file [https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-syntax]. Maybe someone could confirm that this is accepted. I'm now unsure to what we referred to previously when saying that there might be licensing issues with Yawning's fork. It does not look like there are. Or am I missing something crucial here? If I don't, then to move forward, one would need to open an RFP or ITP (Intent to Package) bug on the Debian bugtracker and then package this fork of uTLS.
golang-yawning-utls-dev is a fork of utls, which is itself a fork
of the golang tls library. This is a hard fork, any improvements
cannot be shipped upstream due to the difference in licensing that
you've identified. The upstream is very active - go has >1500
contributors, uTLS has >50 contributors. The fork we want to
package is maintained by very few people, if I'm not mistaken,
Yawning is the only core contributor.
I think there is a security implication here - if there is a
security advisory for the golang library, the Debian Security team
needs to work with the upstreams to apply security patches to it
and all of its forks in Debian, meaning this one too. If the delta
from upstream increases with every fork this could mean a lot of
pain.
However, my understanding of the dynamics could be entirely wrong,
so let me know if I'm off the mark.
Sending this to the Debian Security team, to ask if they see any
problems here. Including the source link:
https://gitlab.com/yawning/utls and ITP:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954209
If we're all good, I'd be very happy to help with packaging or even sponsoring this (I've recently completed the process to become DD, now under review!).
Happy to update this to the latest policy and reupload if this is something we want to do.
→ actually that package was uploaded to mentors.debian.org and could go to experimental.
Awesome, thank you for helping with this :)Hey, I'm new to the debian packaging space but am happy to help out here.
Thank you all,
Ana
Attachment:
signature.asc
Description: OpenPGP digital signature