Control: severity -1 important
On Sun, 23 Jul 2023 22:42:26 +0200 Evangelos Ribeiro Tzaras wrote:
Fyi: that issue has now been closed with
https://github.com/cyrusimap/cyrus-sasl/pull/770
The backport to Debian was done. I am no longer considering this a serious issue as the clearly
GPL-incompa
On Wed, 28 Jun 2023 10:14:00 +0200 Bastian Germann wrote:
> Am 28.06.23 um 04:42 schrieb Richard Laager:
> > What is the remaining instance of RSA-MD licensed code after #767?
>
> https://github.com/cyrusimap/cyrus-sasl/issues/769
Fyi: that issue has now been closed with
https://github.com/cyrus
Am 28.06.23 um 04:42 schrieb Richard Laager:
What is the remaining instance of RSA-MD licensed code after #767?
https://github.com/cyrusimap/cyrus-sasl/issues/769
On 2023-06-27 17:35, Bastian Germann wrote:
Am 28.06.23 um 00:13 schrieb Richard Laager:
The last bugfix release took them more than 3 years and when #767 is
released is unknown.
When a release happens is irrelevant, as you can carry #767 as a patch
in the Debian package until then.
Even
Am 28.06.23 um 00:13 schrieb Richard Laager:
Wait a minute... You are a maintainer for cyrus-sasl.
Just the package maintainer in Debian.
You have already addressed the BSD-4-clause-KTH in the latest upload.
That is true, which I have noted on the other bug.
You also fixed debian/copyright
Wait a minute... You are a maintainer for cyrus-sasl.
You have already addressed the BSD-4-clause-KTH in the latest upload.
You also fixed debian/copyright to reference BSD-3-Clause-Attribution in
the latest upload. That license is fine for the reasons I mentioned.
That just leaves the MD5 st
Am 27.06.23 um 23:34 schrieb Richard Laager:
Cyrus SASL has reverse (binary) dependencies in the ballpark of 7,500. Quickly taking that list through UDD gives me
just over 4,500 source packages. Surely, a large number of those are going to be GPL licensed. Is your plan to file
Severity: serious
Bastian,
I see you have raised the severity on this bug again.
What is your goal here?
Cyrus SASL has reverse (binary) dependencies in the ballpark of 7,500.
Quickly taking that list through UDD gives me just over 4,500 source
packages. Surely, a large number of those are going to be GPL lice
I am the upstream maintainer.
We can't re-license or grant exceptions to our license as we have
never had a CLA or a DCO and some of our are companies that no longer
exist and there are individuals that are deceased.
This issue is tagging 28 packages total for removal from Debian. All
for a mista
Am 26.05.23 um 04:26 schrieb Richard Laager:
Are the problems just limited to MD5? If so:
I do not think so.
5) Replace the MD5 implementation in Cyrus SASL with a different one.
6) Cyrus SASL uses OpenSSL for MD5 instead of its built-in MD5 code.
See https://github.com/cyrusimap/cyrus-sas
First, I've downgraded the severity on this to "important". We are
currently in a freeze with a release imminent. Removing pidgin from the
next Debian release is a significant step that we should not undertake
lightly. The issue at hand has existed for years, possibly a decade or
even two, with
Package: libpurple0
Version: 2.14.12-1
Severity: serious
Hi,
libirc.so and libjabber.so.0.0.0 depend on libsasl2-2, which is licensed under CMU's BSD-3-Clause-Attribution license
and covered by the RSA-MD license. They have clauses in place, which are known to be incompatible with GPL-2+ (as fa
12 matches
Mail list logo
