Hi Stuart, On Wed, Jun 11, 2014 at 10:12:21PM +1000, Stuart Prescott wrote: > Hi John, > > > * python_support: Avoid hashlib dependency, using the built-in _sha or > > _sha1 module (depending on Python version) instead. That way we > > don't link in OpenSSL, which has an incompatible license. > > (Closes: 747031) > > We should be careful that this particular change is not backwards compatible > with wheezy's python: > > $ PYTHONPATH=. python -c 'import debian.debian_support; > debian.debian_support.new_sha1()' > Traceback (most recent call last): > File "<string>", line 1, in <module> > File "debian/debian_support.py", line 50, in new_sha1 > "Built-in sha1 implementation not found; cannot use hashlib" > NotImplementedError: Built-in sha1 implementation not found; cannot use > hashlib implementation because it depends on OpenSSL, which may not be linked > with this library due to license incompatibilities > > (the test suite does fail which would alert a backporter) > > Fiddling around with an internal interface like _sha feels quite wrong too. I > think it's likely to bring pain back to us in the future.
For what it's worth, I don't particularly like this solution either. I couldn't find a better one (at least not a tecnhical one - see below). > I'm quite unconvinced by the argument that a GPL'd script can't import > hashlib; I think GPLv3 is quite clear that "hashlib" is a Standard Interface > of the Python programming language and that making use of it is fine; the > language is less precise for GPLv2 but I still don't think there's a problem > there. There are plenty of other GPL'd things in Debian that "import hashlib" > and I don't think anyone's interested in working on this. I actually am convinced by the debian-legal argument that the exception doesn't apply for Debian (because Debian distributes both OpenSSL and python-debian), but the alternative to this hacky crap is to modify our own license to allow linking with OpenSSL. Which honestly is probably not too hard since there were only a handful of contributors to python_support.py. > I've taken this particular issue out of the too-hard-basket and put it back > in > several times already... thanks for taking a crack at it. No problem. Feel free to revert the change if it's causing problems. -- John Wright <j...@debian.org>
signature.asc
Description: Digital signature
