Your message dated Thu, 04 Sep 2025 10:05:54 +0000
with message-id <[email protected]>
and subject line Bug#1112162: fixed in
golang-github-vmware-photon-controller-go-sdk 0.0~PROMOTED-738+dfsg-1
has caused the Debian Bug report #1112162,
regarding accidentally includes and installs opaque "ttylinux" VM disk image
with sourceless GNU GPL applications within
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112162: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112162
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-vmware-photon-controller-go-sdk
Version: 0.0~PROMOTED-339-1.1
Tags: upstream
Severity: serious
Justification: infringement of GNU GPL attribution and source availability
requirements
X-Debbugs-Cc: [email protected]
Hello,
For an unrelated purpose I was looking for packages shipping files ending in
'.iso' and this package came up on my radar. The
golang-github-vmware-photon-controller-go-sdk-dev installs these files on all
architectures:
/usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/ttylinux-pc_i486-16.1.iso
/usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova
These files really do contain an entire virtual machine, as I'll show, with the
Linux kernel, BusyBox, the GNU C Library (real glibc, not Newlib, which is both
uncommon in this use case and makes the licensing implications more serious),
Dropbear, and more. These virtual machine images are present already in the
source package. It is hard to verify authenticity due to bitrot, but it appears
this is what's being referred to:
https://www.minimalinux.org/ttylinux/downloadPC.html
https://html-preview.github.io/?url=https://github.com/mkienenb/ttylinux/blob/master/dloadPC-i486.html
The VMware-ish file conventions are something I'm working on wrapping my head
around, so do note that the '*.iso' file is mainly metadata and the '*.ova' is
where the concerns really lie.
$ bsdcat ttylinux-pc_i486-16.1.iso | tr -cd '[[:print:]]' | tr -s
'[[:space:]]'
CD001LINUX CDROM "s0 GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C)
1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
2015032517314800201503251731480000000000000000002015032517314800
CD001"s0"s00s0SETTINGS.JSN;1{"vm_network_netmask":"255.255.254.0","vm_domain":"eng.vmware.com","vm_network_ip":"10.146.34.113","vm_network_nameservers":"10.142.7.1","vm_network_gateway":"10.146.35.253"}
It looks like this probably wasn't supposed to be shared outside VM corporate
seeing as those are statically-configured network details.
Personally I was concerned about this file not being what it claimed, so I
found the following helpful for a more forensic analysis:
$ pax -r -f
/usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova
-s '/^.*$/tty_tiny.vmdk/' '*.vmdk*' \
&& qemu-img convert -f vmdk -O raw tty_tiny.vmdk tty_tiny.img
A lot of tools don't like the compressed VMware format it seems, so this
conversion makes all else easier. You can identify the software within with
$ tr -c -d '[[:print:]]' < tty_tiny.img
and it also seems to boot at least part of the way using qemu-system-i386 using
BusyBox for the system startup.
So there are a few reasons why it's prima facie that this is seriously wrong
even though I don't have detailed knowledge of the package:
• The hard-coded network credentials could be construed as "phoning home" and
was spooky
• There is a lot of software in the images that is under the GNU GPL and needs
to have source available, but much of the software (including ttylinux itself)
is so old that this would actually be pretty hard to backtrack on.
• It's not apparent how this could be used for any sort of testing even if one
wanted to.
Also, pardon my French, but I don't think there are any runtime reverse
dependencies or build-time reverse dependencies on this binary package, the
only one for this source package. Likewise the ITP #855680 doesn't actually
describe why the software belongs in Debian or what anyone would want it for,
so I'm scratching my head. Does anyone know why this package exists?
signature.asc
Description: This is a digitally signed message part
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Source: golang-github-vmware-photon-controller-go-sdk
Source-Version: 0.0~PROMOTED-738+dfsg-1
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-vmware-photon-controller-go-sdk, which is due to be installed in
the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated
golang-github-vmware-photon-controller-go-sdk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 04 Sep 2025 11:07:57 +0200
Source: golang-github-vmware-photon-controller-go-sdk
Architecture: source
Version: 0.0~PROMOTED-738+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 1112162
Changes:
golang-github-vmware-photon-controller-go-sdk (0.0~PROMOTED-738+dfsg-1)
unstable; urgency=medium
.
* Team upload.
[ Alexandre Viau ]
* Point Vcs-* urls to salsa.debian.org.
.
[ Debian Janitor ]
* Use secure copyright file specification URI.
* Bump debhelper from old 10 to 12.
* Set debhelper-compat version in Build-Depends.
* Change priority extra to priority optional.
* Set upstream metadata fields: Bug-Database, Bug-Submit.
.
[ Andreas Tille ]
* New upstream version
* Fix watch file
* Exclude binary without source testdata
Closes: #1112162
* Use default Salsa CI
* d/control: Section s/devel/golang/
* Standards-Version: 4.7.2 (routine-update)
* debhelper-compat 13 (routine-update)
* Remove trailing whitespace in debian/copyright (routine-update)
Set upstream metadata fields: Repository-Browse.
Checksums-Sha1:
42a800471d7860d6754c93164a839c6c7622be9b 2633
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.dsc
78c379e3079a483f125559a216861bc3cb97b2e5 45072
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg.orig.tar.xz
a8b9bd8ff0607919d72c345f77b62b019f6b1144 2284
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.debian.tar.xz
ccd2f77d9cc7743667ba708729bea4f058870fa6 6990
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1_amd64.buildinfo
Checksums-Sha256:
38489d72cf3a80b2132f36ec4773a30ced956fccc3170872c6dd6ead7e074622 2633
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.dsc
514396130f4c6defe28b695543a458f1d92f4394ae73f4a16c694bcf3b7dcc1d 45072
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg.orig.tar.xz
c46a41bd01bcc6756bc8e35185e21c13dab6cae24f4eab18027d43c4fdd2952b 2284
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.debian.tar.xz
b842f939827439570e886c35e5acb2a11c092f6f6cd3caab796f4a4cf82df5b6 6990
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1_amd64.buildinfo
Files:
b9ed26041d93c3a7528c3760a47f36cf 2633 golang optional
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.dsc
632956c5b6e6ee085afc8672234733b5 45072 golang optional
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg.orig.tar.xz
77f5dea182ce2b0871b50d42edf08ff2 2284 golang optional
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1.debian.tar.xz
240ce1768241eb99f0974ed941ffbcdf 6990 golang optional
golang-github-vmware-photon-controller-go-sdk_0.0~PROMOTED-738+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmi5W8IRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtHnURAAllOui5LKVAsHST/u77jlB5jRs5RK2IWe
tkAvrDnfvkncPznze4s8Xlx9gzSPBmkm/Ip2aO5jT1R/WBqUAB+kUz6O+CvgbeTS
SnGYpVnDEWM4mVtQICywyP8CM7cf3m/aI9fCcundpBDf8LuHXB9XwHEetBz+RRNM
9xFNaupfPa/4RqrlVRYCaaBnr+A2VnmwuvLFY0N4DYo+koHoP0YwTELCqhZsuRzQ
DDslGQOGwcLd/aTFU6/kS9y+QcjDpHvP/DCSANxbMoziJuQskEO3OENude/O53HG
tfRCDaIp6/2J9ufAf8tjakrFme4oNvrGV7q62cdX6L3kH1XVloMD/k3TZ2Bfu2HN
XinLRsRRNzAogbtDQKTPbpF9DILU/OqcG5X+bh3xkqhYZD++HHgxb6UrI10lea2a
Gx8PjuDrzHHNs+297GcaraRrqkCn+OrPeUjKeeXmcwLjxJSkGXJ5j8Dfza9Neeu6
arIixEIextP1VpCL+RuO2gQdeQL0LxyF46X+PydGrhJAygEKnK/vyugD+vqwgknd
ou6E+2UZtLrWRkpmCIwiCTUXrWNkDzjsanQ9Bja0KYF6Rtp4qR1qrDzqwEmLAbPU
F1BHm6b38IY9UpbX+63JBZZbCw6katWu52lVKZQ9GZv4m7BJCsXdF0Bpizt35xD1
MgtkJU+K/ho=
=Vasb
-----END PGP SIGNATURE-----
pgpEUJ9WQKIBD.pgp
Description: PGP signature
--- End Message ---
