|Summary:||Review Request: globus-gssapi-gsi - Globus Toolkit - GSSAPI library|
|Product:||[Fedora] Fedora||Reporter:||Mattias Ellert <mattias.ellert>|
|Component:||Package Review||Assignee:||Orcan Ogetbil <oget.fedora>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||fedora-package-review, k.georgiou, notting, oget.fedora, tcallawa|
|Fixed In Version:||5.9-2.fc11||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-05-20 00:49:46 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||453847, 453848, 453850, 453851, 453853, 453855, 453856, 453858, 453861, 453862|
|Bug Blocks:||467239, 478919, 478922, 478925, 478930, 478931|
Description Mattias Ellert 2008-10-16 14:34:05 UTC
Spec URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/info/globus-gssapi-gsi.spec SRPM URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/src/SRPMS/globus-gssapi-gsi-5.9-0.2.fc9.src.rpm Description: The Globus Toolkit is an open source software toolkit used for building Grid systems and applications. It is being developed by the Globus Alliance and many others all over the world. A growing number of projects and companies are using the Globus Toolkit to unlock the potential of grids for their cause. The globus-gssapi-gsi package contains: GSSAPI library BuildRequires: gpt BuildRequires: globus-gsi-credential-devel >= 1 BuildRequires: globus-gsi-callback-devel BuildRequires: globus-openssl-module-devel BuildRequires: globus-gsi-openssl-error-devel BuildRequires: globus-openssl-devel >= 1 BuildRequires: globus-gsi-proxy-core-devel >= 1 BuildRequires: globus-core-devel >= 4 BuildRequires: globus-gsi-cert-utils-devel >= 5 BuildRequires: globus-common-devel >= 3 Based on the globus toolkit 4.2.1 release. All applied patches submitted upstream: Use versioned symbols for GSSAPI functions (like kerberos): http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6415 http://bugzilla.nordugrid.org/show_bug.cgi?id=1106 Fix some doxygen warnings: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6479
Comment 1 Mattias Ellert 2008-10-17 16:45:44 UTC
Doxygen patch accepted upstream: http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/gssapi.h?r1=1.21&r2=1.22 http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/inquire_cred.c?r1=1.11&r2=1.12 http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/wrap.c?r1=1.15&r2=1.16
Comment 2 Mattias Ellert 2008-10-21 16:55:12 UTC
Versioned symbols patch accepted upstream: http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/configure.in?r1=1.11&r2=1.12 http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/Makefile.am?r1=1.22&r2=1.23 http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/gssapi.sym?r1=1.1&r2=1.2
Comment 3 Mattias Ellert 2008-10-29 12:38:41 UTC
globus-gssapi-gsi library not thread safe bug: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6510 Patch accepted upstream: http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c?r1=1.51&r2=1.52
Comment 4 Mattias Ellert 2009-01-06 00:50:14 UTC
This package was updated due to the renaming of the GPT package. SRPM: http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.3.fc10.src.rpm SPEC: http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec One additional patch submitted upstream: Dereferencing of type-punned pointers: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6604
Comment 5 Mattias Ellert 2009-03-16 00:00:20 UTC
New version - Added s390x as 64 bit arch - Added comment documenting source - Adapt to changes in the globus-core package http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.5.fc10.src.rpm http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec
Comment 6 Mattias Ellert 2009-04-17 13:44:32 UTC
Package updated due to new packaging guidelines - Change defines to globals - Remove explicit requires on library packages http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-1.fc10.src.rpm http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec Draft packaging guidelines for Globus packages are now available: http://fedoraproject.org/wiki/PackagingDrafts/Globus
Comment 7 Orcan Ogetbil 2009-05-10 19:05:55 UTC
Here is my review for this one: ? This is possibly an inconsistency: globus-gsi-credential package has BuildRequires: globus-gsi-cert-utils-devel >= 1 whereas this package has BuildRequires: globus-gsi-cert-utils-devel >= 5 Is this intentional? $ rpm -q globus-gsi-cert-utils globus-gsi-cert-utils-5.5-1.fc10.x86_64 - rpmlint globus-gssapi-gsi-devel.x86_64: W: no-documentation can be ignored. - koji rawhide build is fine: http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454 ? library/ssl_locl.h contains a copy of BSD with advertising. Does that make this package "ASL 2.0 and BSD" ?
Comment 8 Mattias Ellert 2009-05-11 07:57:29 UTC
(In reply to comment #7) > Here is my review for this one: > > ? This is possibly an inconsistency: globus-gsi-credential package has > BuildRequires: globus-gsi-cert-utils-devel >= 1 > whereas this package has > BuildRequires: globus-gsi-cert-utils-devel >= 5 > Is this intentional? > $ rpm -q globus-gsi-cert-utils > globus-gsi-cert-utils-5.5-1.fc10.x86_64 This is not inconsistent. This package uses features that were introduce in version 5 of globus-gsi-cert-utils, while globus-gsi-credential only uses features that have been in the library since version 1. The GPT source package description for globus-gsi-credential says: <Source_Dependencies Type="compile"> <Dependency Name="globus_gsi_cert_utils"> <Version> <Simple_Version Major="1"/> </Version> </Dependency> </Source_Dependencies> While for this package it says: <Source_Dependencies Type="compile"> <Dependency Name="globus_gsi_cert_utils"> <Version> <Simple_Version Major="5"/> </Version> </Dependency> </Source_Dependencies> The rpm build requires reflect this. > - rpmlint > globus-gssapi-gsi-devel.x86_64: W: no-documentation > can be ignored. > > - koji rawhide build is fine: > http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454 > > ? library/ssl_locl.h contains a copy of BSD with advertising. Does that make > this package "ASL 2.0 and BSD" ? As far as I can tell - no. The file is not installed as part of the binary package, so its license does not influence the license of the package directly. So the question is whether the license of this file influences the license of the package indirectly from being part of the compilation of the library. The file as included in the source tarball has three license statements: 1. Apache 2.0 2. BSD with advertising 3. OpenSSL So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all the other files which are Apache 2.0 the resulting binary is Apache 2.0.
Comment 9 Orcan Ogetbil 2009-05-11 15:51:43 UTC
(In reply to comment #8) > The file as included in the source tarball has three license statements: > > 1. Apache 2.0 > 2. BSD with advertising > 3. OpenSSL > Yes there is also that third statement, Openssl. > So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all > the other files which are Apache 2.0 the resulting binary is Apache 2.0. At this point I can't be sure if we should regard this as "X or Y or Z". Why is it not "X and Y and Z"? I don't see an indication of either convention in the source. Shall we ask FE-Legal?
Comment 10 Orcan Ogetbil 2009-05-11 16:28:35 UTC
I checked our openssl package at Fedora. This ssl/ssl_locl.h file contains two statements, * BSD with advertising * OpenSSL The globus folks just took that file and added a new licence to it (Apache 2.0). Are they legally allowed to do that? Let's block FE-Legal. This is something I can't (and shouldn't) decide by myself.
Comment 11 Mattias Ellert 2009-05-11 22:07:50 UTC
The two original licenses in the file are the original dual licensing of openssl: http://www.openssl.org/source/license.html Upstream then copied the file into their source and added their own license statement to it, which is Apache 2. I agree this addition is a bit questionable. If this file would instead have been installed as part of the openssl package then this package would be Apache-2 like all the other globus packages. Also, if the "relicensing" done by upstream is OK, then we can say this file is Apache 2, and then the package would be Apache 2 as well. However, if this is not the case the library is a unit compiled from some sources having Apache 2 license and other sources (one file) having openssl license. These two licenses are compatible with each other, but neither of them "wins" the way GPL always does. In this case the License tag should be "ASL 2.0 and OpenSSL". This might in fact be the right thing to do.
Comment 12 Mattias Ellert 2009-05-11 22:31:42 UTC
Reading the original openssl license more carefully: * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] makes the Apache license statement added by Globus a bit dubious. Or maybe it was intended as an an AND and not an OR - but then why do it? Anyway I'm getting more inclined to change the License tag to "ASL 2.0 and OpenSSL".
Comment 13 Mattias Ellert 2009-05-12 14:57:19 UTC
I have created a new version where the license tag is "ASL 2.0 and OpenSSL": http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-2.fc10.src.rpm http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec I now think this makes the most sense.
Comment 14 Orcan Ogetbil 2009-05-12 15:17:19 UTC
Yes, I agree that that's the best thing to do with what we have, but the biggest doubt here is whether upstream globus is legally allowed to add a new license an top of the existing one or not. FE-Legal usually responds in a couple days. You can send an email to their mailing list if you want.
Comment 15 Tom "spot" Callaway 2009-05-12 20:54:32 UTC
I would point out to globus upstream that they do not have permission to change the licensing terms on that file. Also, since this is an exact copy of the openssl headers, why are we even using it? We should be using the system openssl-devel files.
Comment 16 Mattias Ellert 2009-05-12 22:23:45 UTC
(In reply to comment #15) > I would point out to globus upstream that they do not have permission to change > the licensing terms on that file. Also, since this is an exact copy of the > openssl headers, why are we even using it? We should be using the system > openssl-devel files. I have filed a bugzilla report upstream about the license issue: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6736 Globus is using the system openssl-devel header files when possible. However, this file is not installed by a normal openssl installation, and is therefore not part of the openssl-devel package. So there is no system version to use of this file.
Comment 17 Tom "spot" Callaway 2009-05-12 22:26:46 UTC
I'm not sure if that is better or worse, because it means they're using unpublished private openssl API.
Comment 18 Orcan Ogetbil 2009-05-13 01:21:14 UTC
There are also these files library/pkcs11*.h that carry yet another license but they don't get compiled. So, for now, they won't cause us any trouble. Can you ask upstream about these files too, what are they for, are they going to get compiled in a future version etc.?
Comment 19 Mattias Ellert 2009-05-13 04:22:31 UTC
(In reply to comment #18) > Can you ask upstream about these files too, what are they for, are they going > to get compiled in a future version etc.? http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6737
Comment 20 Orcan Ogetbil 2009-05-18 19:06:31 UTC
spot, It looks like the upstream is a little slow with responding. Can we come up with a temporary resolution until they respond since there are many other globus packages that depend on this one awaiting review? If yes, what should the license tag be? Or is this an absolute blocker?
Comment 21 Tom "spot" Callaway 2009-05-18 19:22:55 UTC
"ASL 2.0 and OpenSSL" is the correct license tag. I don't think this is a blocker, even though upstream has incorrected added the ASL 2.0 terms to the OpenSSL header files. We'll just use those files under the proper OpenSSL licensing. Please follow up with upstream to get it corrected, but I'm lifting FE-Legal.
Comment 22 Tom "spot" Callaway 2009-05-18 19:23:25 UTC
incorrected should be "incorrectly". It's a Monday, sorry.
Comment 23 Orcan Ogetbil 2009-05-18 19:49:14 UTC
Okay then. Thanks spot! There are no other issues with this package. ---------------------------------------------------- This package (globus-gssapi-gsi) is APPROVED by oget ----------------------------------------------------
Comment 24 Mattias Ellert 2009-05-18 21:02:38 UTC
Thank you for the review. I will follow what upstream will do about the issue. New Package CVS Request ======================= Package Name: globus-gssapi-gsi Short Description: Globus Toolkit - GSSAPI library Owners: ellert Branches: F-9 F-10 F-11 EL-4 EL-5 InitialCC:
Comment 25 Kevin Fenzi 2009-05-18 23:41:36 UTC
Comment 26 Fedora Update System 2009-05-19 06:37:38 UTC
globus-gssapi-gsi-5.9-2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc9
Comment 27 Fedora Update System 2009-05-19 06:37:43 UTC
globus-gssapi-gsi-5.9-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc10
Comment 28 Fedora Update System 2009-05-19 21:09:11 UTC
globus-gssapi-gsi-5.9-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc11
Comment 29 Fedora Update System 2009-05-20 00:49:40 UTC
globus-gssapi-gsi-5.9-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2009-05-20 00:55:22 UTC
globus-gssapi-gsi-5.9-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2009-05-21 00:00:01 UTC
globus-gssapi-gsi-5.9-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.