Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 467237 - Review Request: globus-gssapi-gsi - Globus Toolkit - GSSAPI library
Summary: Review Request: globus-gssapi-gsi - Globus Toolkit - GSSAPI library
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Orcan Ogetbil
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: gpt 453848 453850 453851 453853 453855 453856 453858 453861 453862
Blocks: 467239 478919 478922 478925 478930 478931
TreeView+ depends on / blocked
 
Reported: 2008-10-16 14:34 UTC by Mattias Ellert
Modified: 2009-05-21 00:00 UTC (History)
5 users (show)

Fixed In Version: 5.9-2.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-20 00:49:46 UTC
oget.fedora: fedora-review+
kevin: fedora-cvs+


Attachments (Terms of Use)

Description Mattias Ellert 2008-10-16 14:34:05 UTC
Spec URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/info/globus-gssapi-gsi.spec
SRPM URL: http://www.grid.tsl.uu.se/repos/globus/fedora/9/src/SRPMS/globus-gssapi-gsi-5.9-0.2.fc9.src.rpm
Description:
The Globus Toolkit is an open source software toolkit used for
building Grid systems and applications. It is being developed by the
Globus Alliance and many others all over the world. A growing number
of projects and companies are using the Globus Toolkit to unlock the
potential of grids for their cause.

The globus-gssapi-gsi package contains:
GSSAPI library

BuildRequires:	gpt
BuildRequires:	globus-gsi-credential-devel >= 1
BuildRequires:	globus-gsi-callback-devel
BuildRequires:	globus-openssl-module-devel
BuildRequires:	globus-gsi-openssl-error-devel
BuildRequires:	globus-openssl-devel >= 1
BuildRequires:	globus-gsi-proxy-core-devel >= 1
BuildRequires:	globus-core-devel >= 4
BuildRequires:	globus-gsi-cert-utils-devel >= 5
BuildRequires:	globus-common-devel >= 3

Based on the globus toolkit 4.2.1 release.

All applied patches submitted upstream:

Use versioned symbols for GSSAPI functions (like kerberos):
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6415
http://bugzilla.nordugrid.org/show_bug.cgi?id=1106

Fix some doxygen warnings:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6479

Comment 3 Mattias Ellert 2008-10-29 12:38:41 UTC
globus-gssapi-gsi library not thread safe bug:

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6510

Patch accepted upstream:

http://viewcvs.globus.org/viewcvs.cgi/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c?r1=1.51&r2=1.52

Comment 4 Mattias Ellert 2009-01-06 00:50:14 UTC
This package was updated due to the renaming of the GPT package.

SRPM: http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.3.fc10.src.rpm

SPEC: http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec

One additional patch submitted upstream:

Dereferencing of type-punned pointers:
http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6604

Comment 5 Mattias Ellert 2009-03-16 00:00:20 UTC
New version
- Added s390x as 64 bit arch
- Added comment documenting source
- Adapt to changes in the globus-core package

http://www.grid.tsl.uu.se/repos/globus/fedora/10/src/SRPMS/globus-gssapi-gsi-5.9-0.5.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/globus-gssapi-gsi.spec

Comment 6 Mattias Ellert 2009-04-17 13:44:32 UTC
Package updated due to new packaging guidelines
- Change defines to globals
- Remove explicit requires on library packages

http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-1.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec

Draft packaging guidelines for Globus packages are now available:
http://fedoraproject.org/wiki/PackagingDrafts/Globus

Comment 7 Orcan Ogetbil 2009-05-10 19:05:55 UTC
Here is my review for this one:

? This is possibly an inconsistency: globus-gsi-credential package has
   BuildRequires:	globus-gsi-cert-utils-devel >= 1
whereas this package has
   BuildRequires:	globus-gsi-cert-utils-devel >= 5
Is this intentional?
   $ rpm -q globus-gsi-cert-utils
   globus-gsi-cert-utils-5.5-1.fc10.x86_64

- rpmlint
   globus-gssapi-gsi-devel.x86_64: W: no-documentation
can be ignored.

- koji rawhide build is fine:
   http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454

? library/ssl_locl.h contains a copy of BSD with advertising. Does that make this package "ASL 2.0 and BSD" ?

Comment 8 Mattias Ellert 2009-05-11 07:57:29 UTC
(In reply to comment #7)
> Here is my review for this one:
> 
> ? This is possibly an inconsistency: globus-gsi-credential package has
>    BuildRequires: globus-gsi-cert-utils-devel >= 1
> whereas this package has
>    BuildRequires: globus-gsi-cert-utils-devel >= 5
> Is this intentional?
>    $ rpm -q globus-gsi-cert-utils
>    globus-gsi-cert-utils-5.5-1.fc10.x86_64

This is not inconsistent. This package uses features that were introduce in version 5 of globus-gsi-cert-utils, while globus-gsi-credential only uses features that have been in the library since version 1.

The GPT source package description for globus-gsi-credential says:

        <Source_Dependencies Type="compile">
            <Dependency Name="globus_gsi_cert_utils">
                <Version>
                    <Simple_Version Major="1"/>
                </Version>
            </Dependency>
        </Source_Dependencies>

While for this package it says:

        <Source_Dependencies Type="compile">
            <Dependency Name="globus_gsi_cert_utils">
                <Version>
                    <Simple_Version Major="5"/>
                </Version>
            </Dependency>
        </Source_Dependencies>

The rpm build requires reflect this.

> - rpmlint
>    globus-gssapi-gsi-devel.x86_64: W: no-documentation
> can be ignored.
> 
> - koji rawhide build is fine:
>    http://koji.fedoraproject.org/koji/taskinfo?taskID=1346454
> 
> ? library/ssl_locl.h contains a copy of BSD with advertising. Does that make
> this package "ASL 2.0 and BSD" ?  

As far as I can tell - no. The file is not installed as part of the binary package, so its license does not influence the license of the package directly. So the question is whether the license of this file influences the license of the package indirectly from being part of the compilation of the library.

The file as included in the source tarball has three license statements:

1. Apache 2.0
2. BSD with advertising
3. OpenSSL

So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all the other files which are Apache 2.0 the resulting binary is Apache 2.0.

Comment 9 Orcan Ogetbil 2009-05-11 15:51:43 UTC
(In reply to comment #8)
> The file as included in the source tarball has three license statements:
> 
> 1. Apache 2.0
> 2. BSD with advertising
> 3. OpenSSL
> 

Yes there is also that third statement, Openssl.

> So when compiling this (Apache 2.0 or BSD with advertising or OpenSSL) with all
> the other files which are Apache 2.0 the resulting binary is Apache 2.0.  

At this point I can't be sure if we should regard this as "X or Y or Z". Why is it not "X and Y and Z"? I don't see an indication of either convention in the source. Shall we ask FE-Legal?

Comment 10 Orcan Ogetbil 2009-05-11 16:28:35 UTC
I checked our openssl package at Fedora. This ssl/ssl_locl.h file contains two statements,

* BSD with advertising
* OpenSSL

The globus folks just took that file and added a new licence to it (Apache 2.0). Are they legally allowed to do that? 

Let's block FE-Legal. This is something I can't (and shouldn't) decide by myself.

Comment 11 Mattias Ellert 2009-05-11 22:07:50 UTC
The two original licenses in the file are the original dual licensing of openssl:

http://www.openssl.org/source/license.html

Upstream then copied the file into their source and added their own license statement to it, which is Apache 2. I agree this addition is a bit questionable.

If this file would instead have been installed as part of the openssl package then this package would be Apache-2 like all the other globus packages.

Also, if the "relicensing" done by upstream is OK, then we can say this file is Apache 2, and then the package would be Apache 2 as well.

However, if this is not the case the library is a unit compiled from some sources having Apache 2 license and other sources (one file) having openssl license. These two licenses are compatible with each other, but neither of them "wins" the way GPL always does. In this case the License tag should be "ASL 2.0 and OpenSSL". This might in fact be the right thing to do.

Comment 12 Mattias Ellert 2009-05-11 22:31:42 UTC
Reading the original openssl license more carefully:

 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]

makes the Apache license statement added by Globus a bit dubious. Or maybe it was intended as an an AND and not an OR - but then why do it?

Anyway I'm getting more inclined to change the License tag to "ASL 2.0 and OpenSSL".

Comment 13 Mattias Ellert 2009-05-12 14:57:19 UTC
I have created a new version where the license tag is "ASL 2.0 and OpenSSL":

http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi-5.9-2.fc10.src.rpm
http://www.grid.tsl.uu.se/repos/globus/info/new/globus-gssapi-gsi.spec

I now think this makes the most sense.

Comment 14 Orcan Ogetbil 2009-05-12 15:17:19 UTC
Yes, I agree that that's the best thing to do with what we have, but the biggest doubt here is whether upstream globus is legally allowed to add a new license an top of the existing one or not.

FE-Legal usually responds in a couple days. You can send an email to their mailing list if you want.

Comment 15 Tom "spot" Callaway 2009-05-12 20:54:32 UTC
I would point out to globus upstream that they do not have permission to change the licensing terms on that file. Also, since this is an exact copy of the openssl headers, why are we even using it? We should be using the system openssl-devel files.

Comment 16 Mattias Ellert 2009-05-12 22:23:45 UTC
(In reply to comment #15)
> I would point out to globus upstream that they do not have permission to change
> the licensing terms on that file. Also, since this is an exact copy of the
> openssl headers, why are we even using it? We should be using the system
> openssl-devel files.  

I have filed a bugzilla report upstream about the license issue:

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6736

Globus is using the system openssl-devel header files when possible. However, this file is not installed by a normal openssl installation, and is therefore not part of the openssl-devel package. So there is no system version to use of this file.

Comment 17 Tom "spot" Callaway 2009-05-12 22:26:46 UTC
I'm not sure if that is better or worse, because it means they're using unpublished private openssl API.

Comment 18 Orcan Ogetbil 2009-05-13 01:21:14 UTC
There are also these files library/pkcs11*.h that carry yet another license but they don't get compiled. So, for now, they won't cause us any trouble.

Can you ask upstream about these files too, what are they for, are they going to get compiled in a future version etc.?

Comment 19 Mattias Ellert 2009-05-13 04:22:31 UTC
(In reply to comment #18)
> Can you ask upstream about these files too, what are they for, are they going
> to get compiled in a future version etc.?  

http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=6737

Comment 20 Orcan Ogetbil 2009-05-18 19:06:31 UTC
spot, 
It looks like the upstream is a little slow with responding. Can we come up with a temporary resolution until they respond since there are many other globus packages that depend on this one awaiting review?

If yes, what should the license tag be?

Or is this an absolute blocker?

Comment 21 Tom "spot" Callaway 2009-05-18 19:22:55 UTC
"ASL 2.0 and OpenSSL" is the correct license tag. I don't think this is a blocker, even though upstream has incorrected added the ASL 2.0 terms to the OpenSSL header files. We'll just use those files under the proper OpenSSL licensing. 

Please follow up with upstream to get it corrected, but I'm lifting FE-Legal.

Comment 22 Tom "spot" Callaway 2009-05-18 19:23:25 UTC
incorrected should be "incorrectly". It's a Monday, sorry.

Comment 23 Orcan Ogetbil 2009-05-18 19:49:14 UTC
Okay then. Thanks spot! There are no other issues with this package.

----------------------------------------------------
This package (globus-gssapi-gsi) is APPROVED by oget
----------------------------------------------------

Comment 24 Mattias Ellert 2009-05-18 21:02:38 UTC
Thank you for the review. I will follow what upstream will do about the issue.


New Package CVS Request
=======================
Package Name: globus-gssapi-gsi
Short Description: Globus Toolkit - GSSAPI library
Owners: ellert
Branches: F-9 F-10 F-11 EL-4 EL-5
InitialCC:

Comment 25 Kevin Fenzi 2009-05-18 23:41:36 UTC
cvs done.

Comment 26 Fedora Update System 2009-05-19 06:37:38 UTC
globus-gssapi-gsi-5.9-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc9

Comment 27 Fedora Update System 2009-05-19 06:37:43 UTC
globus-gssapi-gsi-5.9-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc10

Comment 28 Fedora Update System 2009-05-19 21:09:11 UTC
globus-gssapi-gsi-5.9-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/globus-gssapi-gsi-5.9-2.fc11

Comment 29 Fedora Update System 2009-05-20 00:49:40 UTC
globus-gssapi-gsi-5.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2009-05-20 00:55:22 UTC
globus-gssapi-gsi-5.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2009-05-21 00:00:01 UTC
globus-gssapi-gsi-5.9-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.