Package: git Version: 1:2.48.0~rc1+next.20250101-1 Severity: serious Git is licensed under the GNU General Public License, version 2. Included in Git is /usr/lib/git-core/git-remote-http, which is the backend which uses libcurl to perform HTTP-based operations. Unfortunately, that binary appears to be linked against OpenSSL, probably because OpenLDAP, on which libcurl depends, is linked against OpenSSL.
OpenSSL is under the Apache License 2.0, which is, despite everyone's best intentions, not actually compatible with the GNU General Public License version 2, and thus the Git binary is not actually distributable. Note that Debian cannot take advantage of the system library exception, the text of which is as follows: However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. Since Debian distributes OpenSSL on the same mirror network and installation media as Git, so OpenSSL accompanies the executable. For instance, the current debian-testing-amd64-DVD-1 contains both git and libssl3t64. This is, as I understand it, consistent with Debian's historical position. I have not verified if other binaries or parts of Git are affected, but you may want to do so. Assuming that my conjecture about OpenLDAP being the cause of this is correct, you may want to revert the change to OpenSSL there. Of course, if you can provide a version of OpenSSL that is also under the GNU General Public License version 2 or another license which is compatible with it, then that would also be satisfactory. In that case, please reassign this package to the `openssl` source package to get the copyright file updated accordingly. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.10-amd64 (SMP w/20 CPU threads; PREEMPT) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages git depends on: ii git-man 1:2.48.0~rc1+next.20250101-1 ii libc6 2.40-6 ii libcurl3t64-gnutls 8.11.1-1+b1 ii liberror-perl 0.17029-2 ii libexpat1 2.6.4-1 ii libpcre2-8-0 10.44-5 ii perl 5.40.0-8 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 Versions of packages git recommends: ii ca-certificates 20241223 ii less 643-1 ii openssh-client [ssh-client] 1:9.9p1-3 ii patch 2.7.6-7 Versions of packages git suggests: ii gettext-base 0.23.1-1 pn git-cvs <none> pn git-doc <none> ii git-email 1:2.48.0~rc1+next.20250101-1 pn git-gui <none> pn git-mediawiki <none> pn git-svn <none> pn gitk <none> pn gitweb <none> -- no debconf information -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
signature.asc
Description: PGP signature
