Bug#747031: fixed in python-debian 0.1.22

Fri Jun 13 06:49:37 UTC 2014

Hi Stuart,

On Wed, Jun 11, 2014 at 10:12:21PM +1000, Stuart Prescott wrote:
> Hi John,
> 
> >    * python_support: Avoid hashlib dependency, using the built-in _sha or
> >      _sha1 module (depending on Python version) instead.  That way we
> >      don't link in OpenSSL, which has an incompatible license.
> >      (Closes: 747031)
> 
> We should be careful that this particular change is not backwards compatible 
> with wheezy's python:
> 
> $ PYTHONPATH=. python -c 'import debian.debian_support; 
> debian.debian_support.new_sha1()'
> Traceback (most recent call last):
>   File "<string>", line 1, in <module>
>   File "debian/debian_support.py", line 50, in new_sha1
>     "Built-in sha1 implementation not found; cannot use hashlib"
> NotImplementedError: Built-in sha1 implementation not found; cannot use 
> hashlib implementation because it depends on OpenSSL, which may not be linked 
> with this library due to license incompatibilities
> 
> (the test suite does fail which would alert a backporter)
> 
> Fiddling around with an internal interface like _sha feels quite wrong too. I 
> think it's likely to bring pain back to us in the future.

For what it's worth, I don't particularly like this solution either.  I
couldn't find a better one (at least not a tecnhical one - see below).

> I'm quite unconvinced by the argument that a GPL'd script can't import 
> hashlib; I think GPLv3 is quite clear that "hashlib" is a Standard Interface 
> of the Python programming language and that making use of it is fine; the 
> language is less precise for GPLv2 but I still don't think there's a problem 
> there. There are plenty of other GPL'd things in Debian that "import hashlib" 
> and I don't think anyone's interested in working on this.

I actually am convinced by the debian-legal argument that the exception
doesn't apply for Debian (because Debian distributes both OpenSSL and
python-debian), but the alternative to this hacky crap is to modify our
own license to allow linking with OpenSSL.  Which honestly is probably
not too hard since there were only a handful of contributors to
python_support.py.

> I've taken this particular issue out of the too-hard-basket and put it back in 
> several times already... thanks for taking a crack at it.

No problem.  Feel free to revert the change if it's causing problems.

-- 
John Wright <jsw at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20140612/2cb1ce4f/attachment.sig>