Patchwork gnu: openldap: Use gnutls.

login
register
mail settings
Submitter Alex Vong
Date Sept. 16, 2016, 4:21 p.m.
Message ID <87h99fke89.fsf@gmail.com>
Download mbox | patch
Permalink /patch/15694/
State New
Headers show

Comments

Alex Vong - Sept. 16, 2016, 4:21 p.m.
Hello,

The following patch does what the title says. The link of the bug
<http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
longer accessible, so I assume the bug is fixd since I cannot find it on
the internet. In addition, I have checked debian's version, which is
slightly older (2.4.42), which also uses gnutls. So I think we are safe
here. Please object if there is a problem!

Please note that openldap is an input for curl, so I guess it is causing
the openssl dependency problem for octave I mentioned earlier. I haven't
test to build octave with curl though, which takes a while.

Finally, I have checked debian's build script and find the following:

======================================================================
# Download the upstream source and make changes as required for DFSG reasons.
# Assumes wget is available, as this is generally only used by the package
# maintainers.
get-orig-source:
	@if [ ! -d "debian/schema" ] ; then \
	    echo 'Run this from the top directory of the Debian source' >&2; \
	    exit 1; \
	fi
	wget $(URL)/openldap-$(VERSION).tgz
	tar xzf openldap-$(VERSION).tgz
	rm -r openldap-$(VERSION)/doc/drafts
	rm -r openldap-$(VERSION)/doc/rfc
	set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \
	    file=`basename "$$schema"`; \
	    rm openldap-$(VERSION)/servers/slapd/schema/$$file; \
	done
	mv openldap-$(VERSION) openldap-$(VERSION)+dfsg
	tar cf openldap_$(VERSION)+dfsg.orig.tar openldap-$(VERSION)+dfsg
	rm -r openldap-$(VERSION)+dfsg
	gzip -9 openldap_$(VERSION)+dfsg.orig.tar
======================================================================

Is the rfc documents considered fsf-free? Otherwise, we will have to
remove them and repack the source.
Cheers,
Alex
Efraim Flashner - Sept. 20, 2016, 9:35 a.m.
On Sat, Sep 17, 2016 at 12:21:10AM +0800, Alex Vong wrote:
> Hello,
> 
> The following patch does what the title says. The link of the bug
> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
> longer accessible, so I assume the bug is fixd since I cannot find it on
> the internet. In addition, I have checked debian's version, which is
> slightly older (2.4.42), which also uses gnutls. So I think we are safe
> here. Please object if there is a problem!
> 
> Please note that openldap is an input for curl, so I guess it is causing
> the openssl dependency problem for octave I mentioned earlier. I haven't
> test to build octave with curl though, which takes a while.
> 
> Finally, I have checked debian's build script and find the following:
> 
> ======================================================================
> # Download the upstream source and make changes as required for DFSG reasons.
> # Assumes wget is available, as this is generally only used by the package
> # maintainers.
> get-orig-source:
> 	@if [ ! -d "debian/schema" ] ; then \
> 	    echo 'Run this from the top directory of the Debian source' >&2; \
> 	    exit 1; \
> 	fi
> 	wget $(URL)/openldap-$(VERSION).tgz
> 	tar xzf openldap-$(VERSION).tgz
> 	rm -r openldap-$(VERSION)/doc/drafts
> 	rm -r openldap-$(VERSION)/doc/rfc
> 	set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \
> 	    file=`basename "$$schema"`; \
> 	    rm openldap-$(VERSION)/servers/slapd/schema/$$file; \
> 	done
> 	mv openldap-$(VERSION) openldap-$(VERSION)+dfsg
> 	tar cf openldap_$(VERSION)+dfsg.orig.tar openldap-$(VERSION)+dfsg
> 	rm -r openldap-$(VERSION)+dfsg
> 	gzip -9 openldap_$(VERSION)+dfsg.orig.tar
> ======================================================================
> 
> Is the rfc documents considered fsf-free? Otherwise, we will have to
> remove them and repack the source.
> 

I believe that Debian doesn't consider them to be DFSG compliant because
they cannot be modified, just like the invariant sections of the GFDL
run afoul of the DFSG. So without actually checking I'd assume that
they're ok to distribute in Guix.
Jan Synáček - Sept. 20, 2016, 10:35 a.m.
On Fri, Sep 16, 2016 at 6:21 PM, Alex Vong <alexvong1995@gmail.com> wrote:
> Hello,

Hi,

> The following patch does what the title says. The link of the bug
> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
> longer accessible, so I assume the bug is fixd since I cannot find it on
> the internet.

The #7430 was fixed in 2013.

> ======================================================================
> # Download the upstream source and make changes as required for DFSG reasons.
> # Assumes wget is available, as this is generally only used by the package
> # maintainers.
> get-orig-source:
>         @if [ ! -d "debian/schema" ] ; then \
>             echo 'Run this from the top directory of the Debian source' >&2; \
>             exit 1; \
>         fi
>         wget $(URL)/openldap-$(VERSION).tgz
>         tar xzf openldap-$(VERSION).tgz
>         rm -r openldap-$(VERSION)/doc/drafts
>         rm -r openldap-$(VERSION)/doc/rfc
>         set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \
>             file=`basename "$$schema"`; \
>             rm openldap-$(VERSION)/servers/slapd/schema/$$file; \
>         done
>         mv openldap-$(VERSION) openldap-$(VERSION)+dfsg
>         tar cf openldap_$(VERSION)+dfsg.orig.tar openldap-$(VERSION)+dfsg
>         rm -r openldap-$(VERSION)+dfsg
>         gzip -9 openldap_$(VERSION)+dfsg.orig.tar
> ======================================================================

as a former OpenLDAP maintainer on Fedora and RHEL, I strongly suggest
you link it against openssl. It's basically the only really supported
crypto upstream.
Efraim Flashner - Sept. 20, 2016, 4:35 p.m.
On Sat, Sep 17, 2016 at 12:21:10AM +0800, Alex Vong wrote:
> Hello,
> 
> The following patch does what the title says. The link of the bug
> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
> longer accessible, so I assume the bug is fixd since I cannot find it on
> the internet. In addition, I have checked debian's version, which is
> slightly older (2.4.42), which also uses gnutls. So I think we are safe
> here. Please object if there is a problem!
> 
> Please note that openldap is an input for curl, so I guess it is causing
> the openssl dependency problem for octave I mentioned earlier. I haven't
> test to build octave with curl though, which takes a while.
> 

I built it out. With this patch, octave will build with curl and
cyrus-sasl added as inputs, and will retain references to gnutls and
cyrus-sasl, as checked with `guix gc --references /gnu/store/...octave'
Ludovic Courtès - Sept. 24, 2016, 2:11 a.m.
Efraim Flashner <efraim@flashner.co.il> skribis:

> On Sat, Sep 17, 2016 at 12:21:10AM +0800, Alex Vong wrote:
>> Hello,
>> 
>> The following patch does what the title says. The link of the bug
>> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
>> longer accessible, so I assume the bug is fixd since I cannot find it on
>> the internet. In addition, I have checked debian's version, which is
>> slightly older (2.4.42), which also uses gnutls. So I think we are safe
>> here. Please object if there is a problem!
>> 
>> Please note that openldap is an input for curl, so I guess it is causing
>> the openssl dependency problem for octave I mentioned earlier. I haven't
>> test to build octave with curl though, which takes a while.
>> 
>
> I built it out. With this patch, octave will build with curl and
> cyrus-sasl added as inputs, and will retain references to gnutls and
> cyrus-sasl, as checked with `guix gc --references /gnu/store/...octave'

So I think this patch can be safely applied, at least in core-updates
due to the large number of rebuilds.

Efraim, could you take care of it?

Thanks!

Ludo’.
Alex Vong - Sept. 24, 2016, 4:03 p.m.
Hello,

Jan Synáček <jan.synacek@gmail.com> writes:

> On Fri, Sep 16, 2016 at 6:21 PM, Alex Vong <alexvong1995@gmail.com> wrote:
>> Hello,
>
> Hi,
>
>> The following patch does what the title says. The link of the bug
>> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
>> longer accessible, so I assume the bug is fixd since I cannot find it on
>> the internet.
>
> The #7430 was fixed in 2013.
>
>> ======================================================================
>> # Download the upstream source and make changes as required for DFSG reasons.
>> # Assumes wget is available, as this is generally only used by the package
>> # maintainers.
>> get-orig-source:
>>         @if [ ! -d "debian/schema" ] ; then \
>>             echo 'Run this from the top directory of the Debian source' >&2; \
>>             exit 1; \
>>         fi
>>         wget $(URL)/openldap-$(VERSION).tgz
>>         tar xzf openldap-$(VERSION).tgz
>>         rm -r openldap-$(VERSION)/doc/drafts
>>         rm -r openldap-$(VERSION)/doc/rfc
>>         set -e; for schema in debian/schema/*.schema debian/schema/*.ldif ; do \
>>             file=`basename "$$schema"`; \
>>             rm openldap-$(VERSION)/servers/slapd/schema/$$file; \
>>         done
>>         mv openldap-$(VERSION) openldap-$(VERSION)+dfsg
>>         tar cf openldap_$(VERSION)+dfsg.orig.tar openldap-$(VERSION)+dfsg
>>         rm -r openldap-$(VERSION)+dfsg
>>         gzip -9 openldap_$(VERSION)+dfsg.orig.tar
>> ======================================================================
>
> as a former OpenLDAP maintainer on Fedora and RHEL, I strongly suggest
> you link it against openssl. It's basically the only really supported
> crypto upstream.

OK, first let me introduce '->' to means 'is a dependency of'.

Currently we have the following:
  openldap -> curl -> octave

This means 'openssl -> openldap' cannot happens,
otherwise 'openssl -> octave',
which is a violation of GPLv3+.

I am interested in knowing how Fedora solves this issue.

Thanks,
Alex
Efraim Flashner - Sept. 25, 2016, 7:25 p.m.
On Sat, Sep 24, 2016 at 11:11:02AM +0900, Ludovic Courtès wrote:
> Efraim Flashner <efraim@flashner.co.il> skribis:
> 
> > On Sat, Sep 17, 2016 at 12:21:10AM +0800, Alex Vong wrote:
> >> Hello,
> >> 
> >> The following patch does what the title says. The link of the bug
> >> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
> >> longer accessible, so I assume the bug is fixd since I cannot find it on
> >> the internet. In addition, I have checked debian's version, which is
> >> slightly older (2.4.42), which also uses gnutls. So I think we are safe
> >> here. Please object if there is a problem!
> >> 
> >> Please note that openldap is an input for curl, so I guess it is causing
> >> the openssl dependency problem for octave I mentioned earlier. I haven't
> >> test to build octave with curl though, which takes a while.
> >> 
> >
> > I built it out. With this patch, octave will build with curl and
> > cyrus-sasl added as inputs, and will retain references to gnutls and
> > cyrus-sasl, as checked with `guix gc --references /gnu/store/...octave'
> 
> So I think this patch can be safely applied, at least in core-updates
> due to the large number of rebuilds.
> 
> Efraim, could you take care of it?
> 
> Thanks!
> 
> Ludo’.

pushed to core-updates!
Alex Vong - Sept. 27, 2016, 4:37 p.m.
Efraim Flashner <efraim@flashner.co.il> writes:

> On Sat, Sep 24, 2016 at 11:11:02AM +0900, Ludovic Courtès wrote:
>> Efraim Flashner <efraim@flashner.co.il> skribis:
>> 
>> > On Sat, Sep 17, 2016 at 12:21:10AM +0800, Alex Vong wrote:
>> >> Hello,
>> >> 
>> >> The following patch does what the title says. The link of the bug
>> >> <http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17> is no
>> >> longer accessible, so I assume the bug is fixd since I cannot find it on
>> >> the internet. In addition, I have checked debian's version, which is
>> >> slightly older (2.4.42), which also uses gnutls. So I think we are safe
>> >> here. Please object if there is a problem!
>> >> 
>> >> Please note that openldap is an input for curl, so I guess it is causing
>> >> the openssl dependency problem for octave I mentioned earlier. I haven't
>> >> test to build octave with curl though, which takes a while.
>> >> 
>> >
>> > I built it out. With this patch, octave will build with curl and
>> > cyrus-sasl added as inputs, and will retain references to gnutls and
>> > cyrus-sasl, as checked with `guix gc --references /gnu/store/...octave'
>> 
>> So I think this patch can be safely applied, at least in core-updates
>> due to the large number of rebuilds.
>> 
>> Efraim, could you take care of it?
>> 
>> Thanks!
>> 
>> Ludo’.
>
> pushed to core-updates!

Thank you!

Patch

From ecffd2252b0f6778919b97903c5419cbd5a06f4f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Sat, 17 Sep 2016 00:03:05 +0800
Subject: [PATCH] gnu: openldap: Use gnutls.

* gnu/packages/openldap.scm (openldap)[inputs]: Switch to gnutls.
---
 gnu/packages/openldap.scm | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 4bbc6a6..627319b 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -55,14 +55,11 @@ 
               "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb-5.3)
-             ("openssl" ,openssl)
              ("cyrus-sasl" ,cyrus-sasl)
+             ("gnutls" ,gnutls)
              ("groff" ,groff)
              ("icu4c" ,icu4c)
              ("libgcrypt" ,libgcrypt)
-             ;; FIXME: currently, openldap requires openssl or gnutls<3, see
-             ;; http://www.openldap.org/its/index.cgi/Incoming?id=7430;page=17
-             ;; Once this is fixed, switch to gnutls.
              ("zlib" ,zlib)))
    (native-inputs `(("libtool" ,libtool)))
    (arguments
-- 
2.10.0