From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 10 13:13:07 2019 Received: (at 34717) by debbugs.gnu.org; 10 Mar 2019 17:13:07 +0000 Received: from localhost ([127.0.0.1]:38255 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h320Z-0003A6-0N for submit@debbugs.gnu.org; Sun, 10 Mar 2019 13:13:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43964) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1h320X-00039b-9p for 34717@debbugs.gnu.org; Sun, 10 Mar 2019 13:13:05 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50442) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h320Q-0003qw-7O; Sun, 10 Mar 2019 13:12:58 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41234 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1h320O-00053R-Rv; Sun, 10 Mar 2019 13:12:57 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Vagrant Cascadian Subject: Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others References: <87tvgkiurn.fsf@ponder> <87zhq8f2zz.fsf@gnu.org> <87ftrzuxmh.fsf@ponder> <87o96m8f09.fsf@ponder> <871s3his1i.fsf@gnu.org> <87k1h9i3gl.fsf@ponder> <87h8cb4sou.fsf@gnu.org> <871s3f1w5d.fsf@ponder> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 20 =?utf-8?Q?Vent=C3=B4se?= an 227 de la =?utf-8?Q?R?= =?utf-8?Q?=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 10 Mar 2019 18:12:54 +0100 In-Reply-To: <871s3f1w5d.fsf@ponder> (Vagrant Cascadian's message of "Sat, 09 Mar 2019 15:10:54 -0800") Message-ID: <87tvga3b6x.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 34717 Cc: Danny Milosavljevic , 34717@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Vagrant Cascadian skribis: > On 2019-03-09, Ludovic Court=C3=A8s wrote: >> Vagrant Cascadian skribis: >>> On 2019-03-08, Ludovic Court=C3=A8s wrote: >>>> Vagrant Cascadian skribis: >>>> In addition, we can add a =E2=80=98lint=E2=80=99 checker for this case= , WDYT? >>> >>> Does the lint checker have a way to identify a confidence level, >>> e.g. *maybe* it has this issue vs. *certainly*? Is there a way to >>> override the lint checker issues for known false positives? Otherwise, >>> it might just be annoying noise for packagers where it isn't >>> appropriate. >> >> No it doesn=E2=80=99t have that notion of a confidence level. > > And I presume no overrides either, given no comment about that? We could arrange for this lint =E2=80=9Cchecker=E2=80=9D to honor some per-= package property that would silence it. We do that with the =E2=80=98cve=E2=80=99 = checker and the =E2=80=98lint-hidden-cve=E2=80=99 property. >> The warning could be triggered only when a package is GPL=E2=80=99d and = has a >> direct dependency on OpenSSL (we=E2=80=99d forget about indirect depende= ncies in >> this case.) The noise would be rather limited and justified in this >> case, I think. WDYT? > > The openssl package currently ships the "openssl" binary, as well as the > libraries. I suspect there are at least three potential cases where a > package might depend on it: > > * Calls the "openssl" binary as part of test suite or run-time. No > licensing compatibility issue, no worries! > > * Using include files from the openssl headers; I guess you could search > for "include .* openssl/*.h" in the source code. Might get some false > positives. Can be run without actually even building it. > > * Linking against the library which should actually be easy to detect > with ldd or other tools. Would need to build and then run the checks to > be sure. So for the 1st case we=E2=80=99d definitely need that property to tell =E2= =80=98lint=E2=80=99 that everything is known-good. =E2=80=98guix lint=E2=80=99 does very inexpensive tests, so unpacking the t= arball and grepping it would be beyond its scope. However, if we can provide the warning and people have a way to silence it, I guess we=E2=80=99re fine? Thanks, Ludo=E2=80=99.