Bug 467237 - Review Request: globus-gssapi-gsi - Globus Toolkit - GSSAPI library
Review Request: globus-gssapi-gsi - Globus Toolkit - GSSAPI library
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Orcan Ogetbil
Fedora Extras Quality Assurance
:
Depends On: gpt 453848 453850 453851 453853 453855 453856 453858 453861 453862
Blocks: 467239 478919 478922 478925 478930 478931
  Show dependency treegraph
 
Reported: 2008-10-16 10:34 EDT by Mattias Ellert
Modified: 2009-05-20 20:00 EDT (History)
5 users (show)

See Also:
Fixed In Version: 5.9-2.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-19 20:49:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
oget.fedora: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Mattias Ellert 2008-10-16 10:34:05 EDT
Spec URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/info/globus-gssapi-gsi.spec
SRPM URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/src/SRPMS/globus-gssapi-gsi-5.9-0.2.fc9.src.rpm
Description:
The Globus Toolkit is an open source software toolkit used for
building Grid systems and applications. It is being developed by the
Globus Alliance and many others all over the world. A growing number
of projects and companies are using the Globus Toolkit to unlock the
potential of grids for their cause.

The globus-gssapi-gsi package contains:
GSSAPI library

BuildRequires:	gpt
BuildRequires:	globus-gsi-credential-devel >= 1
BuildRequires:	globus-gsi-callback-devel
BuildRequires:	globus-openssl-module-devel
BuildRequires:	globus-gsi-openssl-error-devel
BuildRequires:	globus-openssl-devel >= 1
BuildRequires:	globus-gsi-proxy-core-devel >= 1
BuildRequires:	globus-core-devel >= 4
BuildRequires:	globus-gsi-cert-utils-devel >= 5
BuildRequires:	globus-common-devel >= 3

Based on the globus toolkit 4.2.1 release.

All applied patches submitted upstream:

Use versioned symbols for GSSAPI functions (like kerberos):
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6415
http://bugzilla.nordugrid.org/show_bug.cgi?id=1106

Fix some doxygen warnings:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6479
Comment 3 Mattias Ellert 2008-10-29 08:38:41 EDT
globus-gssapi-gsi library not thread safe bug:

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6510

Patch accepted upstream:

http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c?r1=1.51&r2=1.52
Comment 4 Mattias Ellert 2009-01-05 19:50:14 EST
This package was updated due to the renaming of the GPT package.

SRPM: http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.3.fc10.src.rpm

SPEC: http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec

One additional patch submitted upstream:

Dereferencing of type-punned pointers:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6604
Comment 5 Mattias Ellert 2009-03-15 20:00:20 EDT
New version
- Added s390x as 64 bit arch
- Added comment documenting source
- Adapt to changes in the globus-core package

http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.5.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec
Comment 6 Mattias Ellert 2009-04-17 09:44:32 EDT
Package updated due to new packaging guidelines
- Change defines to globals
- Remove explicit requires on library packages

http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-1.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec

Draft packaging guidelines for Globus packages are now available:
http://fedoraproject.org/wiki/PackagingDrafts/Globus
Comment 7 Orcan Ogetbil 2009-05-10 15:05:55 EDT
Here is my review for this one:

? This is possibly an inconsistency: globus-gsi-credential package has
   BuildRequires:	globus-gsi-cert-utils-devel >= 1
whereas this package has
   BuildRequires:	globus-gsi-cert-utils-devel >= 5
Is this intentional?
   $ rpm -q globus-gsi-cert-utils
   globus-gsi-cert-utils-5.5-1.fc10.x86_64

- rpmlint
   globus-gssapi-gsi-devel.x86_64: W: no-documentation
can be ignored.

- koji rawhide build is fine:
   http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454

? library/ssl_locl.h contains a copy of BSD with advertising. Does that make this package "ASL 2.0 and BSD" ?
Comment 8 Mattias Ellert 2009-05-11 03:57:29 EDT
(In reply to comment #7)
> Here is my review for this one:
> 
> ? This is possibly an inconsistency: globus-gsi-credential package has
>    BuildRequires: globus-gsi-cert-utils-devel >= 1
> whereas this package has
>    BuildRequires: globus-gsi-cert-utils-devel >= 5
> Is this intentional?
>    $ rpm -q globus-gsi-cert-utils
>    globus-gsi-cert-utils-5.5-1.fc10.x86_64

This is not inconsistent. This package uses features that were introduce in version 5 of globus-gsi-cert-utils, while globus-gsi-credential only uses features that have been in the library since version 1.

The GPT source package description for globus-gsi-credential says:

        <Source_Dependencies Type="compile">
            <Dependency Name="globus_gsi_cert_utils">
                <Version>
                    <Simple_Version Major="1"/>
                </Version>
            </Dependency>
        </Source_Dependencies>

While for this package it says:

        <Source_Dependencies Type="compile">
            <Dependency Name="globus_gsi_cert_utils">
                <Version>
                    <Simple_Version Major="5"/>
                </Version>
            </Dependency>
        </Source_Dependencies>

The rpm build requires reflect this.

> - rpmlint
>    globus-gssapi-gsi-devel.x86_64: W: no-documentation
> can be ignored.
> 
> - koji rawhide build is fine:
>    http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454
> 
> ? library/ssl_locl.h contains a copy of BSD with advertising. Does that make
> this package "ASL 2.0 and BSD" ?  

As far as I can tell - no. The file is not installed as part of the binary package, so its license does not influence the license of the package directly. So the question is whether the license of this file influences the license of the package indirectly from being part of the compilation of the library.

The file as included in the source tarball has three license statements:

1. Apache 2.0
2. BSD with advertising
3. OpenSSL

So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all the other files which are Apache 2.0 the resulting binary is Apache 2.0.
Comment 9 Orcan Ogetbil 2009-05-11 11:51:43 EDT
(In reply to comment #8)
> The file as included in the source tarball has three license statements:
> 
> 1. Apache 2.0
> 2. BSD with advertising
> 3. OpenSSL
> 

Yes there is also that third statement, Openssl.

> So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all
> the other files which are Apache 2.0 the resulting binary is Apache 2.0.  

At this point I can't be sure if we should regard this as "X or Y or Z". Why is it not "X and Y and Z"? I don't see an indication of either convention in the source. Shall we ask FE-Legal?
Comment 10 Orcan Ogetbil 2009-05-11 12:28:35 EDT
I checked our openssl package at Fedora. This ssl/ssl_locl.h file contains two statements,

* BSD with advertising
* OpenSSL

The globus folks just took that file and added a new licence to it (Apache 2.0). Are they legally allowed to do that? 

Let's block FE-Legal. This is something I can't (and shouldn't) decide by myself.
Comment 11 Mattias Ellert 2009-05-11 18:07:50 EDT
The two original licenses in the file are the original dual licensing of openssl:

http://www.openssl.org/source/license.html

Upstream then copied the file into their source and added their own license statement to it, which is Apache 2. I agree this addition is a bit questionable.

If this file would instead have been installed as part of the openssl package then this package would be Apache-2 like all the other globus packages.

Also, if the "relicensing" done by upstream is OK, then we can say this file is Apache 2, and then the package would be Apache 2 as well.

However, if this is not the case the library is a unit compiled from some sources having Apache 2 license and other sources (one file) having openssl license. These two licenses are compatible with each other, but neither of them "wins" the way GPL always does. In this case the License tag should be "ASL 2.0 and OpenSSL". This might in fact be the right thing to do.
Comment 12 Mattias Ellert 2009-05-11 18:31:42 EDT
Reading the original openssl license more carefully:

 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]

makes the Apache license statement added by Globus a bit dubious. Or maybe it was intended as an an AND and not an OR - but then why do it?

Anyway I'm getting more inclined to change the License tag to "ASL 2.0 and OpenSSL".
Comment 13 Mattias Ellert 2009-05-12 10:57:19 EDT
I have created a new version where the license tag is "ASL 2.0 and OpenSSL":

http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-2.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec

I now think this makes the most sense.
Comment 14 Orcan Ogetbil 2009-05-12 11:17:19 EDT
Yes, I agree that that's the best thing to do with what we have, but the biggest doubt here is whether upstream globus is legally allowed to add a new license an top of the existing one or not.

FE-Legal usually responds in a couple days. You can send an email to their mailing list if you want.
Comment 15 Tom "spot" Callaway 2009-05-12 16:54:32 EDT
I would point out to globus upstream that they do not have permission to change the licensing terms on that file. Also, since this is an exact copy of the openssl headers, why are we even using it? We should be using the system openssl-devel files.
Comment 16 Mattias Ellert 2009-05-12 18:23:45 EDT
(In reply to comment #15)
> I would point out to globus upstream that they do not have permission to change
> the licensing terms on that file. Also, since this is an exact copy of the
> openssl headers, why are we even using it? We should be using the system
> openssl-devel files.  

I have filed a bugzilla report upstream about the license issue:

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6736

Globus is using the system openssl-devel header files when possible. However, this file is not installed by a normal openssl installation, and is therefore not part of the openssl-devel package. So there is no system version to use of this file.
Comment 17 Tom "spot" Callaway 2009-05-12 18:26:46 EDT
I'm not sure if that is better or worse, because it means they're using unpublished private openssl API.
Comment 18 Orcan Ogetbil 2009-05-12 21:21:14 EDT
There are also these files library/pkcs11*.h that carry yet another license but they don't get compiled. So, for now, they won't cause us any trouble.

Can you ask upstream about these files too, what are they for, are they going to get compiled in a future version etc.?
Comment 19 Mattias Ellert 2009-05-13 00:22:31 EDT
(In reply to comment #18)
> Can you ask upstream about these files too, what are they for, are they going
> to get compiled in a future version etc.?  

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6737
Comment 20 Orcan Ogetbil 2009-05-18 15:06:31 EDT
spot, 
It looks like the upstream is a little slow with responding. Can we come up with a temporary resolution until they respond since there are many other globus packages that depend on this one awaiting review?

If yes, what should the license tag be?

Or is this an absolute blocker?
Comment 21 Tom "spot" Callaway 2009-05-18 15:22:55 EDT
"ASL 2.0 and OpenSSL" is the correct license tag. I don't think this is a blocker, even though upstream has incorrected added the ASL 2.0 terms to the OpenSSL header files. We'll just use those files under the proper OpenSSL licensing. 

Please follow up with upstream to get it corrected, but I'm lifting FE-Legal.
Comment 22 Tom "spot" Callaway 2009-05-18 15:23:25 EDT
incorrected should be "incorrectly". It's a Monday, sorry.
Comment 23 Orcan Ogetbil 2009-05-18 15:49:14 EDT
Okay then. Thanks spot! There are no other issues with this package.

----------------------------------------------------
This package (globus-gssapi-gsi) is APPROVED by oget
----------------------------------------------------
Comment 24 Mattias Ellert 2009-05-18 17:02:38 EDT
Thank you for the review. I will follow what upstream will do about the issue.


New Package CVS Request
=======================
Package Name: globus-gssapi-gsi
Short Description: Globus Toolkit - GSSAPI library
Owners: ellert
Branches: F-9 F-10 F-11 EL-4 EL-5
InitialCC:
Comment 25 Kevin Fenzi 2009-05-18 19:41:36 EDT
cvs done.
Comment 26 Fedora Update System 2009-05-19 02:37:38 EDT
globus-gssapi-gsi-5.9-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc9
Comment 27 Fedora Update System 2009-05-19 02:37:43 EDT
globus-gssapi-gsi-5.9-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc10
Comment 28 Fedora Update System 2009-05-19 17:09:11 EDT
globus-gssapi-gsi-5.9-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc11
Comment 29 Fedora Update System 2009-05-19 20:49:40 EDT
globus-gssapi-gsi-5.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2009-05-19 20:55:22 EDT
globus-gssapi-gsi-5.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2009-05-20 20:00:01 EDT
globus-gssapi-gsi-5.9-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.