Bug 525872

Summary: Please rebuild using external Adobe CMap and AGLFN data
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: qtAssignee: Ngo Than <than>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: fonts-bugs, jgrulich, jreznik, kevin, rdieter, tcallawa, than
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-26 12:03:41 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 182235, 473302    

Description Nicolas Mailhot 2009-09-26 09:41:42 EDT
Description of problem:

The Debian fonttool packager noticed a problem in fonttool's embedded Adobe CMap and AGLFN data and got Adobe to release them under a good license

This data is embeded in many packages, including yours

Please rebuild your package using an external shared Adobe CMap and AGLFN data package

FE-LEGAL since this was all triggered by a legal checl Debian-side

See also
http://bonedaddy.net/pabs3/log/2009/09/24/adobe-data-freed/
http://lwn.net/Articles/354360/
http://opensource.adobe.com/wiki/display/cmap/CMap+Resources
Comment 1 Kevin Kofler 2009-09-26 10:47:44 EDT
As for the font bugs, it would be great if these bug reports included a list of the offending files in the specific package. You obviously must have scanned the packages for offending files to know they're affected, so it shouldn't be too hard to come up with such a list and it'd make it much easier to fix the issue and to be sure we fixed it completely.
Comment 2 Kevin Kofler 2009-09-26 11:09:55 EDT
Oh, and did you scan the source package or the binary package? The source package includes copies of some third-party libraries like freetype which we don't ship (we build Qt against the system freetype).
Comment 3 Nicolas Mailhot 2009-09-26 11:38:51 EDT
At this stage, I just relied on the google searches pabs linked to
So maybe they're not accurate in this case
Comment 4 Nicolas Mailhot 2009-09-26 11:41:10 EDT
The keywords he used are:
— aglfn.txt
— aglfn13.txt
— glyphlist.txt
— afii64937
Comment 5 Rex Dieter 2009-09-26 12:03:41 EDT
confirmed hits on
src/3rdparty/freetype
only, which we don't use.
Comment 6 Kevin Kofler 2009-09-26 12:06:23 EDT
I get several hits in src/3rdparty/freetype, which isn't really a problem for Qt as we don't ship its copy of freetype, but I guess you'll want to file a bug against freetype (and I'll clone the fix into freetype-freeworld as soon as freetype has it fixed).

There's also a hit for afii64937 inside src/gui/text/qfontsubset.cpp in the static const char * const agl array. That array appears to contain a processed copy of the data with no Adobe copyright notice. What should I do with it? Add a copy of the new copyright notice and the BSD license in a patch? (I guess it'll also need to show up somewhere in "supporting documentation" to really comply with the license and to actually make sense to patch for.)
Comment 7 Nicolas Mailhot 2009-09-26 12:13:04 EDT
(In reply to comment #1)
> As for the font bugs, it would be great if these bug reports included a list of
> the offending files in the specific package

Well for reports like
http://www.redhat.com/archives/fedora-fonts-list/2009-September/msg00005.html

it just can't be done there is too much data collected, I tried to post it the
first time and the lists refused to let the attached data pass (too big)

However it is always possible to ask me in PM for the data, or to run the test
yourself. It takes a simple bog-standard repo as argument, so if you don't want
to wait for a full rawhide run, just put the packages you're interested in a
dir, run createrepo on it, and point repo-font-audit there

(the current version only understands http:// and ftp:// URIs, I'm testing a
version that works with file:// too. Will probably publish it today)
Comment 8 Kevin Kofler 2009-09-26 12:16:27 EDT
That said, I'm not sure whether that list in qfontsubset.cpp is copyrightable at all, especially given that it is not even presented in the same format.
Comment 9 Nicolas Mailhot 2009-09-26 12:18:17 EDT
(In reply to comment #6)
> I get several hits in src/3rdparty/freetype, which isn't really a problem for
> Qt as we don't ship its copy of freetype, but I guess you'll want to file a bug
> against freetype (and I'll clone the fix into freetype-freeworld as soon as
> freetype has it fixed).

Yes. I'm also thinking of pointing Spot to this mess, as those files seems
duplicated pretty much everywhere, and this is the kind of cleanup op he did
before

> There's also a hit for afii64937 inside src/gui/text/qfontsubset.cpp in the
> static const char * const agl array. That array appears to contain a processed
> copy of the data with no Adobe copyright notice. What should I do with it? Add
> a copy of the new copyright notice and the BSD license in a patch? (I guess
> it'll also need to show up somewhere in "supporting documentation" to really
> comply with the license and to actually make sense to patch for.)

I suppose the clean solution would be to make it process a canonical copy of
the data at build time (that will make the licensing appear in rpm deps checks,
and make sure QT uses the same values as others). Dunno about the licensing
patch. To be honest my primary interest is to make sure all our software uses
the same values, and the legal angle is just here to make people interested
Comment 10 Nicolas Mailhot 2009-09-26 17:39:12 EDT
(In reply to comment #1)
> As for the font bugs, it would be great if these bug reports included a list of
> the offending files in the specific package.

If you see a way to improve this
http://www.redhat.com/archives/fedora-fonts-list/2009-September/msg00031.html
while staying within list limitations (size limit, wrapping, plain text) please say how
Comment 11 Tom "spot" Callaway 2009-11-30 17:35:28 EST
Is the relicensed CMAP/AGLFN data identical to the data inside this code?

At a minimum, a bug should be opened with upstream QT (and freetype) to have their local copies updated to the newer licensed versions.
Comment 12 Bug Zapper 2010-03-15 08:53:28 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Bug Zapper 2011-06-02 13:40:16 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Rex Dieter 2011-06-02 14:21:28 EDT
rebased.