Bug 1023717 - xl2tpd-1.3.3 is available
Summary: xl2tpd-1.3.3 is available
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: xl2tpd   
(Show other bugs)
Version: rawhide
Hardware: Unspecified Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: FutureFeature, Triaged
Depends On:
Blocks: FE-Legal
TreeView+ depends on / blocked
 
Reported: 2013-10-27 10:03 UTC by Upstream Release Monitoring
Modified: 2014-01-22 22:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-22 22:18:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Upstream Release Monitoring 2013-10-27 10:03:21 UTC
Latest upstream release: 1.3.2rc4
Current version/release in Fedora Rawhide: 1.3.1-14.fc20
URL: https://github.com/xelerance/xl2tpd/tags

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring

Comment 1 Upstream Release Monitoring 2013-11-16 10:52:26 UTC
Latest upstream release: 1.3.2
Current version/release in Fedora Rawhide: 1.3.1-14.fc20
URL: https://github.com/xelerance/xl2tpd/tags

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring

Comment 2 Upstream Release Monitoring 2014-01-04 11:09:05 UTC
Latest upstream release: 1.3.3
Current version/release in Fedora Rawhide: 1.3.1-14.fc20
URL: https://github.com/xelerance/xl2tpd/tags

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring

Comment 3 Paul Wouters 2014-01-04 20:52:46 UTC
CC:ing fe-legal on this bug:


There is an interesting change in license of xl2tpd 1.3.3:

https://github.com/xelerance/xl2tpd/commit/f039398af5d97921ade559c0e6d5b11a818ddff5

+Special exception for linking xl2tpd with OpenSSL:
+
+  In addition, as a special exception, Xelerance Corporation gives
+  permission to link the code of this program with the OpenSSL
+  library (or with modified versions of OpenSSL that use the same
+  license as OpenSSL), and distribute linked combinations including
+  the two. You must obey the GNU General Public License in all
+  respects for all of the code used other than OpenSSL. If you modify
+  this file, you may extend this exception to your version of the
+  file, but you are not obligated to do so. If you do not wish to
+  do so, delete this exception statement from your version.

However, I worked at Xelerance, when we forked Mark Spencer's l2tpd code which is licensed under GPLv2+. There are also significant contributions made by other people under the GPL. I am not aware of authors having been contacted about this change of license. Neither I nor Tuomo Soini have been contacted.

This change was done when they merged in one of my FIPS patches from the fedora branch that removed native md5 code to use openssl's md5 code to ensure FIPS compliance. This might have caused a license problem by mixing GPL and the openssl license?

Should I change the code in fedora to use nss instead of openssl?

Am I correct in that we should not ship version 1.3.3 if we know this license change is dubious at best?

Comment 4 Tom "spot" Callaway 2014-01-22 22:18:54 UTC
Eh, we don't use the openssl exception, so its not a Fedora blocker (we'd just no-op it away), because we consider openssl to be a system library.

You should definitely talk to the upstream about the inappropriateness of changing the license without clearing it through all the copyright holders (assuming you didn't assign your copyright in that work to them). The change they made is reasonably non-controversial (its the standard FSF openssl exception), but still.

Closing this as NOTABUG.


Note You need to log in before you can comment on or make changes to this bug.