Florian Weimer <f...@deneb.enyo.de> writes: > * Simon Josefsson: > >> I co-maintain the libidn package. As upstream, I recently relicensed it >> from LGPLv2+ to GPLv2+|LGPLv3+. I'd like to upload the latest version >> into Debian before Wheezy since a pretty nasty inifinte-loop bug has >> been fixed. > > Should we get that into stable-security, under the old license?
It wouldn't hurt, but I'm also not sure if it is worth the work. If any significant application triggered this particular code path, people should have noticed the problem a long time ago. It is at worst an easily diagnozed DoS causing the library to busy-loop forever. All the pr29_* functions are affected, but they don't appear to be widely used. >> (GPLv2-only and LGPLv3+ are incompatible.) > > Nowadays, almost all GPLv2-only programs link to library code licensed > under the GPLv3 (with a linking exception on the library side), so we > pretend that they are, at least to some degree. How does that link exception look like? I only recall seeing suggestions to use the dual-GPLv2+|LGPLv3+ approach as a workaround before. /Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k42wpyif....@latte.josefsson.org
