[pkg-go] Bug#1112162: accidentally includes and installs opaque "ttylinux" VM disk image with sourceless GNU GPL applications within
John Scott
jscott at posteo.net
Wed Aug 27 02:43:55 BST 2025
Source: golang-github-vmware-photon-controller-go-sdk
Version: 0.0~PROMOTED-339-1.1
Tags: upstream
Severity: serious
Justification: infringement of GNU GPL attribution and source availability requirements
X-Debbugs-Cc: ftpmaster at debian.org
Hello,
For an unrelated purpose I was looking for packages shipping files ending in '.iso' and this package came up on my radar. The golang-github-vmware-photon-controller-go-sdk-dev installs these files on all architectures:
/usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/ttylinux-pc_i486-16.1.iso
/usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova
These files really do contain an entire virtual machine, as I'll show, with the Linux kernel, BusyBox, the GNU C Library (real glibc, not Newlib, which is both uncommon in this use case and makes the licensing implications more serious), Dropbear, and more. These virtual machine images are present already in the source package. It is hard to verify authenticity due to bitrot, but it appears this is what's being referred to:
https://www.minimalinux.org/ttylinux/downloadPC.html
https://html-preview.github.io/?url=https://github.com/mkienenb/ttylinux/blob/master/dloadPC-i486.html
The VMware-ish file conventions are something I'm working on wrapping my head around, so do note that the '*.iso' file is mainly metadata and the '*.ova' is where the concerns really lie.
$ bsdcat ttylinux-pc_i486-16.1.iso | tr -cd '[[:print:]]' | tr -s '[[:space:]]'
CD001LINUX CDROM "s0 GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM 2015032517314800201503251731480000000000000000002015032517314800 CD001"s0"s00s0SETTINGS.JSN;1{"vm_network_netmask":"255.255.254.0","vm_domain":"eng.vmware.com","vm_network_ip":"10.146.34.113","vm_network_nameservers":"10.142.7.1","vm_network_gateway":"10.146.35.253"}
It looks like this probably wasn't supposed to be shared outside VM corporate seeing as those are statically-configured network details.
Personally I was concerned about this file not being what it claimed, so I found the following helpful for a more forensic analysis:
$ pax -r -f /usr/share/gocode/src/github.com/vmware/photon-controller-go-sdk/testdata/tty_tiny.ova -s '/^.*$/tty_tiny.vmdk/' '*.vmdk*' \
&& qemu-img convert -f vmdk -O raw tty_tiny.vmdk tty_tiny.img
A lot of tools don't like the compressed VMware format it seems, so this conversion makes all else easier. You can identify the software within with
$ tr -c -d '[[:print:]]' < tty_tiny.img
and it also seems to boot at least part of the way using qemu-system-i386 using BusyBox for the system startup.
So there are a few reasons why it's prima facie that this is seriously wrong even though I don't have detailed knowledge of the package:
• The hard-coded network credentials could be construed as "phoning home" and was spooky
• There is a lot of software in the images that is under the GNU GPL and needs to have source available, but much of the software (including ttylinux itself) is so old that this would actually be pretty hard to backtrack on.
• It's not apparent how this could be used for any sort of testing even if one wanted to.
Also, pardon my French, but I don't think there are any runtime reverse dependencies or build-time reverse dependencies on this binary package, the only one for this source package. Likewise the ITP #855680 doesn't actually describe why the software belongs in Debian or what anyone would want it for, so I'm scratching my head. Does anyone know why this package exists?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20250827/6fdaf1e2/attachment.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7750 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20250827/6fdaf1e2/attachment.p7s>
More information about the Pkg-go-maintainers
mailing list