[Pkg-auth-maintainers] Bug#846359: Bug#824532: Bug#848327: RFS: libu2f-host/1.1.3-1

Sun Jan 29 21:21:18 UTC 2017

Am 29.01.2017 um 22:07 schrieb Luca Capello:
> Hi there,
> 
> On Fri, 27 Jan 2017 23:08:08 +0100, Nicolas Braud-Santoni wrote:
>> On Sun, Dec 25, 2016 at 03:29:39PM +0100, Luca Capello wrote:
>>>
>>> sorry for the late reply, the package was rejected:
>>>
>>>   <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/Week-of-Mon-20161212/000953.html>
>>
>> Sorry for the even-more-late reply, I was ill the last few months  :(
>>
>> I built a new version of the package
>> that has updated copyright metadata.
> 
> Thank you.
> 
>>> However, can you first push your changes to the Git repository on
>>> Alioth?  I find awkward not to use it for Debian work...
>>
>> It is in the rfs-848327 branch on alioth.
> 
> Again, thank you, two comments not related to the udev rules:
> 
> - there are neither upstream/1.1.3 nor debian/1.1.3-1 tags on Alioth,
>   which BTW is still missing the upstream and pristine-tar branches, so
>   no new binary packages can be built from the Alioth Git repository:
> 
>     <https://github.com/Yubico/libu2f-host-dpkg/branches>
> 
> - the previous rejection was because of a new license for the CLI tools,
>   while in the debian/changelog you actually talk about the library
>   itself, which has always been LGPL-2+:
> 
>     <https://github.com/Yubico/libu2f-host/commit/9f53f3ccf81d3e5029eca863014714bf217914e1>
> 
> Both issues should be corrected for me to sponsor your upload.
> 
>>>> This updates brings:
>>>> - - a fix for #846358, so that rules for the right udev version are installed;
>>>> - - as per #846359 and #824532, this creates a new binary package,
>>>>   libu2f-common, containing the udev rules;
>>>> - - the new upstream version brings udev rules for additional devices.
>>>
>>> Sorry, I still do not see the reasoning behing such a move:
>>>
>>>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824532#42>
>>
>> Well, that one is simple:
>>
>> - #846358 is a bug, pure and simple, and this fixes it.
> 
> As far as I know, no one has never objected to this and the fix does not
> involve touching anything else WRT the current logic.
> 
>> - Before this upload, the udev rules were shipped in the libu2f-host0
>>   binary package, which is again wrong.
> 
> It depends, it would be OK if access to these devices was only possible
> via libu2f-host0, which is not the case here:
> 
>   <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824532#17>
> 
>> There are two options, then
>>
>>   1. keeping the udev rules in the libu2f-host *source* package
>>   2. moving the udev rules to another source package
>>
>>
>> I am strongly in favor of 1, if only because upstream actually maintains
>> that list in this package.  The alternative involves
>>   - repackaging libu2f-host to get rid of this
>>     (and patching the build/install scripts),
> 
> Sorry?  No need to repack or patch anything from upstream, but simple do
> not install the udev rules in a .deb package.

To make this perfectly clear (again): I, as udev/systemd maintainer,
object to maintaining that u2f udev rule as a downstream patch in udev
and I will remove that patch from src:systemd post stretch. It's simply
not maintainable (as proven by the outdated rule we ship).

Possible solutions for you to consider:
1/ get those udev rules accepted at systemd upstream (was rejected afair)
2/ split the rules out into a -common package which doesn't require
libu2f-host0 to be installed
3/ rework u2f support so it doesn't requires those udev rules.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-auth-maintainers/attachments/20170129/c870f2e0/attachment.sig>