Hallo all, the initial release of rush_1.7+dfsg-1 happened a year ago. The package has a minute user base, but when I returned to the package recently I happened to notice that there was a clear mistake in the recording of copyright terms for one of the files. The published package claims GPL, whereas a scrutiny of the text reveals a custom license, very close to a public domain attribution, intended to allow linking with LGPL. My sponsor Sven Hoexter suggests that this might be classified as a release critical deviation. Presently he has uploaded the package to "experimental" while we await guidance from this list.
However, the updated packaging rush_1.7+dfsg-2, which I have uploaded to "debian.mentors.net", happens to also address the hardened build of the contained binary executables. It is a priori not obvious that this composite package update would qualify for inclusion in the upcoming release, this late in the process. Personally I regard the hardening valuable to a security relevant service like GNU Rush, so I now seek conclusive advice on this matter, as to the prospects of unblocking the package and getting it into "testing". The debdiff between the published package and my proposed update is included in this message. As said, the full package is deposited at "experimental" since a week's time. I am writing this query encouraged by my sponsor Sven Hoexter. Best regards, Mats Erik Andersson, DM changelog | 19 +++++++++++++++++++ control | 5 +++-- copyright | 56 +++++++++++++++++++++++++++++++++++++++++++------------- rules | 5 +++++ 4 files changed, 70 insertions(+), 15 deletions(-)
diff -Nru rush-1.7+dfsg/debian/changelog rush-1.7+dfsg/debian/changelog --- rush-1.7+dfsg/debian/changelog 2011-07-06 17:48:31.000000000 +0200 +++ rush-1.7+dfsg/debian/changelog 2012-08-02 20:47:09.000000000 +0200 @@ -1,3 +1,22 @@ +rush (1.7+dfsg-2) unstable; urgency=low + + * Hardened builds: + + debian/rules: Set compiler flags using dpkg-buildflags. + + debian/control: Build depends on dpkg-dev (>= 1.15.7). + * debian/control: Standards 3.9.3, no changes. + * debian/copyright: + + Update to valid URL in format specification. + + Remove commata in file lists. + + Insert conditions of two "public-domain" attributions. + + Add plus character in standalone license's names + "GPL-2+" and "GPL-3+". Express terms of the former. + + The file "po/Makefile.in.in" was mistakenly named as + using GPL. In fact, the file uses a custom license, + implicitly public domain like. The conditions of use + are now copied verbatim. + + -- Mats Erik Andersson <mats.anders...@gisladisker.se> Thu, 02 Aug 2012 20:45:15 +0200 + rush (1.7+dfsg-1) unstable; urgency=low * Initial release. (Closes: #515198) diff -Nru rush-1.7+dfsg/debian/control rush-1.7+dfsg/debian/control --- rush-1.7+dfsg/debian/control 2011-07-06 17:48:31.000000000 +0200 +++ rush-1.7+dfsg/debian/control 2012-08-02 18:47:29.000000000 +0200 @@ -2,8 +2,9 @@ Section: shells Priority: extra Maintainer: Mats Erik Andersson <mats.anders...@gisladisker.se> -Build-Depends: debhelper (>= 8.0.0), dh-autoreconf, autopoint -Standards-Version: 3.9.2 +Build-Depends: debhelper (>= 8.0.0), dh-autoreconf, autopoint, + dpkg-dev (>= 1.15.7) +Standards-Version: 3.9.3 Homepage: http://puszcza.gnu.org.ua/projects/rush/ Package: rush diff -Nru rush-1.7+dfsg/debian/copyright rush-1.7+dfsg/debian/copyright --- rush-1.7+dfsg/debian/copyright 2011-06-14 21:12:14.000000000 +0200 +++ rush-1.7+dfsg/debian/copyright 2012-08-02 19:50:32.000000000 +0200 @@ -1,4 +1,4 @@ -Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=174 +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: GNU rush Upstream-Contact: Sergey Poznyakoff <g...@gnu.org.ua> Source: http://puszcza.gnu.org.ua/projects/rush/ @@ -9,15 +9,10 @@ Copyright: 2008-2010, Sergey Poznyakoff <g...@gnu.org.ua> License: GPL-3+ -Files: build-aux/*, gnu/*, m4/* +Files: build-aux/* gnu/* m4/* Copyright: 1992-2010, Free Software Foundation, Inc. License: GPL-3+ -Files: build-aux/install-sh -Copyright: Free Software Foundation -Comment: The major part is copyrighted by the X Consortium; see below -License: public-domain - Files: build-aux/mdate-sh Copyright: 1995-2010, Free Software Foundation, Inc. 1995, Ulrich Drepper <drep...@gnu.ai.mit.edu> @@ -31,8 +26,15 @@ Files: gnu/alloca.c Copyright: D A Gwyn License: public-domain + (Mostly) portable public-domain implementation -- D A Gwyn + . + This implementation of the PWB library alloca function, + which is used to allocate space off the run-time stack so + that it is automatically reclaimed upon procedure exit, + was inspired by discussions with J. Q. Johnson of Cornell. + J.Otto Tennant <j...@cray.com> contributed the Cray support. -Files: po/*.po, po/rush.pot +Files: po/*.po po/rush.pot Copyright: 2010, Free Software Foundation, Inc. 2009-2010, Sergey Poznyakoff <g...@gnu.org> 2009-2010, Clytie Siddall <cly...@riverland.net.au> @@ -41,13 +43,23 @@ Files: po/Makefile.in.in Copyright: 1995-1997, 2000-2007, Ulrich Drepper <drep...@gnu.ai.mit.edu> -License: GPL +License: custom + Makefile for PO directory in any package using GNU gettext. + . + This file can be copied and used freely without restrictions. It can + be used in projects which are not available under the GNU General Public + License but which still want to provide support for the GNU gettext + functionality. + Please note that the actual code of GNU gettext is covered by the GNU + General Public License and is *not* in the public domain. + . + Origin: gettext-0.17 -Files: lib/argcv.c, lib/argcv.h, lib/Makefile.in +Files: lib/argcv.c lib/argcv.h lib/Makefile.in Copyright: 1994-2009, Free Software Foundation, Inc. License: GPL-3+ -Files: etc/Makefile.in, src/Makefile.in +Files: etc/Makefile.in src/Makefile.in Copyright: 1994-2009, Free Software Foundation, Inc. 2008-2010, Sergey Poznyakoff <g...@gnu.org.ua> License: GPL-3+ @@ -59,8 +71,14 @@ on Tue, 2 Feb 2010 22:18:00 +0100, then gradually refined. Files: build-aux/install-sh +Copyright: Free Software Foundation +Comment: Main contributor is the X Consortium, see below. +License: public-domain + FSF changes to this file are in the public domain. + +Files: build-aux/install-sh Copyright: 1994, X Consortium -Comment: FSF has made additions, se above. +Comment: FSF has made additions, see above. License: custom Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to @@ -84,8 +102,20 @@ ings in this Software without prior written authorization from the X Consor- tium. +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + On Debian systems, the complete text of the GNU General Public + License can be found in `/usr/share/common-licenses/GPL-2'. -License: GPL-3 +License: GPL-3+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) diff -Nru rush-1.7+dfsg/debian/rules rush-1.7+dfsg/debian/rules --- rush-1.7+dfsg/debian/rules 2011-06-15 00:48:37.000000000 +0200 +++ rush-1.7+dfsg/debian/rules 2012-08-02 18:44:55.000000000 +0200 @@ -1,5 +1,10 @@ #!/usr/bin/make -f +CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) +LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) +export CPPFLAGS CFLAGS LDFLAGS + %: dh $@ --with autoreconf
