[Pkg-privacy-maintainers] Bug#948312: Licensing questions Bug#948312: obfs4proxy: New upstream releasse

Ulrike Uhlig ulrike at debian.org
Mon Mar 16 18:12:44 GMT 2020 

Hi Cecylia!

On 16.03.20 18:24, Cecylia Bocovich wrote:
> On Tue, 7 Jan 2020 10:36:20 +0100 Ulrike Uhlig <ulrike at debian.org> wrote:
>> On 07.01.20 10:14, Ulrike Uhlig wrote:
>>> On 07.01.20 00:57, Chris Lamb wrote:

>>>> There is a new upstream release of obfs4proxy available (at the time
>>>> of writing, 0.0.11):>> However, this will require the packaging of
> at least https://gitlab.com/yawning/utls.
>>>
>>> Quoting Ana Custura:
>>>
>>> "
>>> We have 2 options going forward: we can package yawning's fork of uTLS
>>> or we can drop meek-lite support from the obfs4proxy package. We need to
>>> carefully consider this, as it is the only meek client currently
>>> packaged in Debian. I have built a package that drops meek-lite support
>>> (which is easily disabled) of version 0.0.11.

→ actually that package was uploaded to mentors.debian.org and could go
to experimental.

>>> There are some licensing issues that need to be resolved with yawning's
>>> fork of uTLS [3] before we consider looking at packaging it.

>> Tor seems to have had plans to help with the maintenance apparently:
>> https://trac.torproject.org/projects/tor/ticket/29286

> Hey, I'm new to the debian packaging space but am happy to help out here.

Yay! That is very nice, welcome.

> FWIW, there is active interest in a meek client package for Debian [1].

To this I would add the link to the Debian Request For Package (RFP)
bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764007. I haven't
looked at it in detail yet and I don't know if it adds up-to-date
supplementary info to the Torproject bug report.

> Before going forward with dropping it from the obfs4proxy package, we
> should probably have a meek package to take it's place. I've no idea how
> many tools rely on this feature of obfs4proxy but don't want to assume none.
> 
> If I understand correctly, the main blocker on this is licensing
> concerns around Yawning's fork of utls? Perhaps it's better to resolve
> this as the path forward. I'll take a look and see what we can do about
> this.

If I understand correctly from a quick look, Yawning distributes his
changes under GNU GPL, while uTLS upstream has a BSD 3-Clause license
[https://github.com/refraction-networking/utls/blob/master/LICENSE].

The BSD 3-Clause is in line with the Debian Free Software Guidelines
(DFSG)[https://wiki.debian.org/DFSGLicenses#The_BSD-3-clause_License].

>From my understanding, in Debian packaging, licenses generally apply to
files but it also seems possible (I never encountered such a case) to
have several licenses for one file
[https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#license-syntax].
Maybe someone could confirm that this is accepted.

I'm now unsure to what we referred to previously when saying that there
might be licensing issues with Yawning's fork. It does not look like
there are. Or am I missing something crucial here?

If I don't, then to move forward, one would need to open an RFP or ITP
(Intent to Package) bug on the Debian bugtracker and then package this
fork of uTLS.

best,
ulrike

> [1] https://trac.torproject.org/projects/tor/ticket/13160

More information about the Pkg-privacy-maintainers mailing list