<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Ulrike and Cecylia,</p>
<p>Thank you for looking at this!<br>
</p>
<div class="moz-cite-prefix">On 16/03/2020 18:12, Ulrike Uhlig
wrote:<br>
</div>
<br>
<blockquote type="cite"
cite="mid:f8389f15-c12f-ba56-50a7-4b105d205512@debian.org">
<pre class="moz-quote-pre" wrap="">If I understand correctly from a quick look, Yawning distributes his
changes under GNU GPL, while uTLS upstream has a BSD 3-Clause license
[<a class="moz-txt-link-freetext" href="https://github.com/refraction-networking/utls/blob/master/LICENSE" moz-do-not-send="true">https://github.com/refraction-networking/utls/blob/master/LICENSE</a>].
The BSD 3-Clause is in line with the Debian Free Software Guidelines
(DFSG)[<a class="moz-txt-link-freetext" href="https://wiki.debian.org/DFSGLicenses#The_BSD-3-clause_License" moz-do-not-send="true">https://wiki.debian.org/DFSGLicenses#The_BSD-3-clause_License</a>].
From my understanding, in Debian packaging, licenses generally apply to
files but it also seems possible (I never encountered such a case) to
have several licenses for one file
[<a class="moz-txt-link-freetext" href="https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-syntax" moz-do-not-send="true">https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-syntax</a>].
Maybe someone could confirm that this is accepted.
I'm now unsure to what we referred to previously when saying that there
might be licensing issues with Yawning's fork. It does not look like
there are. Or am I missing something crucial here? If I don't, then to move forward, one would need to open an RFP or ITP
(Intent to Package) bug on the Debian bugtracker and then package this
fork of uTLS.</pre>
</blockquote>
To sum up the concerns that came from looking at it last time:<br>
<p>
golang-yawning-utls-dev is a fork of utls, which is itself a fork
of the golang tls library. This is a hard fork, any improvements
cannot be shipped upstream due to the difference in licensing that
you've identified. The upstream is very active - go has >1500
contributors, uTLS has >50 contributors. The fork we want to
package is maintained by very few people, if I'm not mistaken,
Yawning is the only core contributor.<br>
I think there is a security implication here - if there is a
security advisory for the golang library, the Debian Security team
needs to work with the upstreams to apply security patches to it
and all of its forks in Debian, meaning this one too. If the delta
from upstream increases with every fork this could mean a lot of
pain.<br>
<br>
However, my understanding of the dynamics could be entirely wrong,
so let me know if I'm off the mark.<br>
<br>
Sending this to the Debian Security team, to ask if they see any
problems here. Including the source link:
<a class="moz-txt-link-freetext" href="https://gitlab.com/yawning/utls">https://gitlab.com/yawning/utls</a> and ITP:
<a class="moz-txt-link-freetext" href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954209">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954209</a><br>
</p>
<p>If we're all good, I'd be very happy to help with packaging or
even
sponsoring this (I've recently completed the process to become DD,
now under review!).</p>
<blockquote type="cite"
cite="mid:f8389f15-c12f-ba56-50a7-4b105d205512@debian.org"><br>
<pre class="moz-quote-pre" wrap="">→ actually that package was uploaded to mentors.debian.org and could go
to experimental.</pre>
</blockquote>
Happy to update this to the latest policy and reupload if this is
something we want to do.<br>
<blockquote type="cite"
cite="mid:f8389f15-c12f-ba56-50a7-4b105d205512@debian.org">
<blockquote type="cite" style="color: #000000;">
<pre class="moz-quote-pre" wrap="">Hey, I'm new to the debian packaging space but am happy to help out here.
</pre>
</blockquote>
</blockquote>
Awesome, thank you for helping with this :)<br>
<p>Thank you all,<br>
</p>
<p>Ana<br>
</p>
</body>
</html>