Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Peter Marschall
Hi,

I have put an unofficial fork of the official OpenSC repo for the Debian packages
( git://git.debian.org/git/pkg-opensc/opensc.git ) onto github.

It is available at git://github.com/marschap/pkg-opensc.git

The branches erics-upsream & erics-master are the upstream & master
branches from Eric's repo at git.debian.org

The branches upstream & master are my going at 0.12.2 packaging.

Rough overview of the changes:
* get rid of unecessary Build-Depends: libxt-dev
* renable zlib & readline support
* add westcos-tool & its man page: new with 0.12.2
* explicitely nable building of man pages
* add *.profile files
* don't use dh_autoconfigure in override_dh_autoconfigure,
  but call bootstrap (see below) & configure directly
* simplify opensc.install
   - get rid of debian/tmp
   - new file opensc.manpages
   - extend opensc.docs
* empty 'dependency_libs' in .la files (please lintian)
   Are those .la files necessary at all (for dlopen, ...)?

Details can be found in the commit messages.

Using the changes I was able to successfully build private opensc 0.12.2-0pm1
(please forgive my private release numbering scheme ;-) packages for i386 and
amd64.

A few things I have not yet done/solved:
* not 100% lintian clean: 3 or 4 warnings left
  I was too lazy.
* In debian testing, trying to build the package using git-buildpackage
  with the autotools provided in the upstream tar ball failed.
  (Funnily it worked when doing a simple buildpackage)
  For this reason I am calling the ./bootstrap script at the beginning
  the configure phase which makes the package build, but creates
  a rather large debian diff.

Feel free to play with it.


Eric,
what about a new, official Debian package, with my changes as the starting point
as starting point?

Best regards
Peter

--
Peter Marschall
[hidden email]
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Daniel Kahn Gillmor-7
On 08/21/2011 12:36 PM, Peter Marschall wrote:

> * renable zlib & readline support
 [...]
> what about a new, official Debian package, with my changes as the starting point
> as starting point?

i don't think these are compatible with the DFSG, alas.

GNU readline (at least) is GPL-licensed, and opensc links against
OpenSSL.  So building a package that links to both of them creates a
non-redistributable work :(

 http://people.gnome.org/~markmc/openssl-and-the-gpl.html

Is there any way to have OpenSC build against some crypto libraries
other than OpenSSL (preferably licensed in GPL-compatible ways) so we
could link it to readline without violating one license or the other?

        --dkg


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Andreas Jellinghaus-2
Hi Daniel,

Am Sonntag 21 August 2011, 23:23:36 schrieb Daniel Kahn Gillmor:

> On 08/21/2011 12:36 PM, Peter Marschall wrote:
> > * renable zlib & readline support
>
>  [...]
>
> > what about a new, official Debian package, with my changes as the
> > starting point as starting point?
>
> i don't think these are compatible with the DFSG, alas.
>
> GNU readline (at least) is GPL-licensed, and opensc links against
> OpenSSL.  So building a package that links to both of them creates a
> non-redistributable work :(
>
>  http://people.gnome.org/~markmc/openssl-and-the-gpl.html

I agree with this.
 
> Is there any way to have OpenSC build against some crypto libraries
> other than OpenSSL (preferably licensed in GPL-compatible ways) so we
> could link it to readline without violating one license or the other?

On the other hand: what part of opensc benefits from using readline?
I guess the only place it might be used is the opensc-explorer, and it
works fine for me without readline - so I say lets remove the readline
code to avoid this.

It might be nice to have opensc link with libgcrypt instead of openssl
too. libgcrypt has a very nice interface and is much easier to use than
openssl in my opinion.

but if we work on such a change, we will have some fun with the new stacking:
will applications (that use openssl or libgnutls) still work if that library
or a helper to that lib uses a plugin interface (pkcs#12) to load opensc
pkcs#12 plugin which is linked to (libcrypto or libgcrypt).

we had problems even with app -> openssl -> opensc -> libcrypto setup in the
past, and I would expect problems here - or this should at least require a lot
of testing to make sure the resulting setup works correctly.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Peter Marschall
In reply to this post by Daniel Kahn Gillmor-7
Hi,

On Sunday, 21. August 2011, you wrote:

> On 08/21/2011 12:36 PM, Peter Marschall wrote:
> > * renable zlib & readline support
>
>  [...]
>
> > what about a new, official Debian package, with my changes as the
> > starting point as starting point?
>
> i don't think these are compatible with the DFSG, alas.
>
> GNU readline (at least) is GPL-licensed, and opensc links against
> OpenSSL.  So building a package that links to both of them creates a
> non-redistributable work :(
>
>  http://people.gnome.org/~markmc/openssl-and-the-gpl.html
>
> Is there any way to have OpenSC build against some crypto libraries
> other than OpenSSL (preferably licensed in GPL-compatible ways) so we
> could link it to readline without violating one license or the other?

OK, let's leave out libreadline (simple changes in debian/{rules,control}).

My interest is less in libreadline - although it makes opensc-explorer
a lot more comfortable - but in an update to opensc in Debian.

What about that?

Best
Peter

PS: if zlib has similar issues, then maybe leave it away too.


--
Peter Marschall
[hidden email]
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Martin Paljak-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

On 8/23/11 8:44 , Peter Marschall wrote:

> On Sunday, 21. August 2011, you wrote:
>> On 08/21/2011 12:36 PM, Peter Marschall wrote:
>>> * renable zlib & readline support
>> i don't think these are compatible with the DFSG, alas.
>>
>> GNU readline (at least) is GPL-licensed, and opensc links
>> against OpenSSL.  So building a package that links to both of
>> them creates a non-redistributable work :(
>>
>> http://people.gnome.org/~markmc/openssl-and-the-gpl.html

The linked page on OpenSSL and GPL also gives some additional hints:

1. "Usual disclaimers apply, I've no legal background whatsoever,
don't trust a word I say ... I'm quite probably completely wrong."
2. "One recommended way around this GPL incompatibility is to add an
OpenSSL exemption when you license your code under the GPL."
3. Remember that OpenSC is LGPL, not GPL (even though it is legal to
"upgrade" LGPL to GPL as has been "proven" by Spanish government)
4. iAnal as well. Consulting FSFE (for a second opinion on what can
and what can not be done) would be beneficial.
5. I consider Debian's position as a die-hard free software
precaution, I don't know that the OpenSSL vs (L)GPL issue has ever
been tested in courts, nor that it would actually represent the
interests of any involved party (be it OpenSC code contributors or
OpenSSL developers).
It is just something that is "advised by lawyers as a precaution".
6. Creating unofficial, more complete but maybe more reckless packages
would still be beneficial, given that the distributor takes the
associated risks (I personally still believe that common sense and
good intents beats the lawyer-centric world we live in)
7. IMHO OpenSSL is something that "comes with the operating system" in
Debian (and other Linux distros)

>> Is there any way to have OpenSC build against some crypto
>> libraries other than OpenSSL (preferably licensed in
>> GPL-compatible ways) so we could link it to readline without
>> violating one license or the other?
Two options:
 - decide to move to some other soft-crypto implementation and reap
out OpenSSL (would be lovely)
 - create a small "softcrypto" mega-interface and allow to plug in
different softcrypto implementations (something like cURL did)
gradually. This would allow to build without OpenSSL in Debian and such
and provide a way to still make use of drivers which might not have a
developer or somebody to test any changes.


>
> OK, let's leave out libreadline (simple changes in
> debian/{rules,control}).
>
> My interest is less in libreadline - although it makes
> opensc-explorer a lot more comfortable - but in an update to opensc
> in Debian.
>
> What about that? PS: if zlib has similar issues, then maybe leave
> it away too.
I don't know of such limitations.


- --
@MartinPaljak
+3725156495
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iQIcBAEBCAAGBQJOU0bXAAoJEHSCZV4wfjRSfroP/1IeDmFPOPWO2ZosXglsYFmM
kYYzvah8l6G8F5KyHbo93vc3BeOe4zQN1ir3zMTpkBsSNDWdPtjd9g3j1uAF72/W
yNXvVgqihoAZ9HquRFqV1LMqR+4KpW/Wjm0eZm6y8TsgF7rPSVKSSZqwCdvye0up
uFZSBWQ4XOjQpFCdlrXJvCidzQ4a2f/RTdkqr0T0W5ntAGgks2WlbUn+bDSQnQVf
EmpU8SK0SOMzDxicXkVUjUmaVusxkLE1KFW3VPH0jEp1zjvtSidbFw6iNk2Vs98a
8KViwk/09BmHJ7vRv57KwFnOa9mCmVyX2gJyHSwbB7kflA7a2fxep8BdOdWQ9S7q
jKP0KJZmMuabFDJIvAlL0h1xIozikHCldhB46f/7lgZNssfy+AkaI1taA75uBJuy
AD5w+6YfkFTAriihbg0L+xshFiQSxKbSMzq0128/8vS59LZsq/O9JZ/xgaHiM2Lh
bot9M2Tj5efii4mdM0SWQx32O8jm8mmSrQLwIrdNqe4YavvpE0bPcI4Vz3ZGYnyz
2h6J7xm/I5KddIUb+jwVoB1OBudZ2KboUvwkQZaC8HYcf/Mzsk6wkGplyuTv0gjg
1Fc+bpG4kIRHsI4HKDB2FYcP+uYo4lMj0rCA0JcITckMpiVtgw9+E4Ucu7thPYFF
CED/e/n3jp8nUfugnYLg
=U75N
-----END PGP SIGNATURE-----
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Jean-Michel Pouré - GOOZE
In reply to this post by Peter Marschall
Le mardi 23 août 2011 à 07:44 +0200, Peter Marschall a écrit :
> My interest is less in libreadline - although it makes opensc-explorer
> a lot more comfortable - but in an update to opensc in Debian.

Dear Peter,

Do you also plan to build daily packages as well?

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Ludovic Rousseau
In reply to this post by Martin Paljak-4
2011/8/23 Martin Paljak <[hidden email]>:

>>> Is there any way to have OpenSC build against some crypto
>>> libraries other than OpenSSL (preferably licensed in
>>> GPL-compatible ways) so we could link it to readline without
>>> violating one license or the other?
> Two options:
>  - decide to move to some other soft-crypto implementation and reap
> out OpenSSL (would be lovely)
>  - create a small "softcrypto" mega-interface and allow to plug in
> different softcrypto implementations (something like cURL did)
> gradually. This would allow to build without OpenSSL in Debian and such
> and provide a way to still make use of drivers which might not have a
> developer or somebody to test any changes.

Apple has deprecated OpenSSL in Lion. OpenSSL is still available but
will be removed in a later version.

See http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html

I think the correct option for OpenSC (if we stay with OpenSSL) is to
statically link with OpenSSL (as I imagine is also done on Windows).

Bye,

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Martin Paljak-4
On 8/23/11 11:46 , Ludovic Rousseau wrote:

> 2011/8/23 Martin Paljak <[hidden email]>:
>>>> Is there any way to have OpenSC build against some crypto
>>>> libraries other than OpenSSL (preferably licensed in
>>>> GPL-compatible ways) so we could link it to readline without
>>>>  violating one license or the other?
>> Two options: - decide to move to some other soft-crypto
>> implementation and reap out OpenSSL (would be lovely) - create a
>> small "softcrypto" mega-interface and allow to plug in different
>> softcrypto implementations (something like cURL did) gradually.
>> This would allow to build without OpenSSL in Debian and such and
>> provide a way to still make use of drivers which might not have a
>> developer or somebody to test any changes.
>
> Apple has deprecated OpenSSL in Lion. OpenSSL is still available
> but will be removed in a later version.
>
> See
> http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html
>
>
> I think the correct option for OpenSC (if we stay with OpenSSL) is
> to statically link with OpenSSL (as I imagine is also done on
> Windows).
From what I learned from the WWDC slides [1] (need to be signed in to
ADC before opening the link) the reason for deprecating OpenSSL as an
"API from platform" was troubles with guaranteeing ABI-compatibility
(kitchen-sink API?) and the need to have an up to date FIPS compatible
platform (OpenSSL is undergoing a new FIPS validation at the moment,
AFAIK, but still only for x86).

OpenSSL is in that matter a defacto industry "standard", but far from
being perfect for many use cases.

But this only affects OpenSC on Mac OS X (which, in theory, should
have the same problem with OpenSSL and license incompatibility as on
Linux). Static linking is not the problem nor the solution on Linux
(package dependencies should remove the ABI problem)

For OS X, the main question is not what/how to use instead of OpenSSL,
but what needs to be implemented instead of Tokend/CDSA to provide
support for native applications.

FYI: Safari 5.1 on 10.6 crashes with OpenSC.tokend. Or any tokend in
that matter.

Studying alternatives for OpenSSL would be a good idea nevertheless,
creating a 15th API [2] for software crypto would also be sweet, why
not having gateways to CommonCrypto/Transform on Mac (or whatever else
they figure out next) and/or CNG/CryptoAPI on Windows in addition to a
new chosen LGPL-compatible default platform as well as existing OpenSSL.

Learning from cURL experience [3] would be useful as well.


Best,
Martin


[1]
http://adcdownload.apple.com/wwdc_2011/adc_on_itunes__wwdc11_sessions__pdf/212_nextgeneration_cryptographic_services.pdf
[2] http://xkcd.com/927/
[3] http://curl.haxx.se/docs/ssl-compared.html
--
@MartinPaljak
+3725156495


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

signature.asc (858 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Douglas E. Engert
In reply to this post by Peter Marschall
On 8/23/2011 12:44 AM, Peter Marschall wrote:

>
> PS: if zlib has similar issues, then maybe leave it away too.

The PIV card require zlib, or a replacement. Cards are being issued with
compressed certificates. If you drop it, OpenSC will be useless for these
cards.

The PIV only uses OpenSSL for the PIV-tool, which is only used by a developer,
to that is not an issue for the PIV card at least.

>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Peter Marschall
In reply to this post by Andreas Jellinghaus-2
Hi,

On Monday, 22. August 2011, Andreas Jellinghaus wrote:

> Hi Daniel,
>
> Am Sonntag 21 August 2011, 23:23:36 schrieb Daniel Kahn Gillmor:
> > On 08/21/2011 12:36 PM, Peter Marschall wrote:
> > > * renable zlib & readline support
> >  
> >  [...]
> >  
> > > what about a new, official Debian package, with my changes as the
> > > starting point as starting point?
> >
> > i don't think these are compatible with the DFSG, alas.
> >
> > GNU readline (at least) is GPL-licensed, and opensc links against
> > OpenSSL.  So building a package that links to both of them creates a
> > non-redistributable work :(
> >
> >  http://people.gnome.org/~markmc/openssl-and-the-gpl.html
>
> I agree with this.

No problem with me.

I am more interested in getting an updated opensc package in Debian
than to have libreadline included in the official package.
I can keep these patches locally.

That's why I wrote "starting point" in my original mail:
- take the things from the repo you consider appropriate,
- leave others out that you do not consider appropriate,
- add additional things, ...
and build an updated official Debian package ;-)

> On the other hand: what part of opensc benefits from using readline?
> I guess the only place it might be used is the opensc-explorer, and it
> works fine for me without readline - so I say lets remove the readline
> code to avoid this.

Please do not remove the code from upstream.
Having it had helped me a lot with the update of the openpgp driver.
It is in a configure option and can be en-/ or disabled as required.

An alternative is to replace libreadline by another "editline library" with
a different license, e.g. libedit (also in Debian).

Best regards
Peter

--
Peter Marschall
[hidden email]
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB

Peter Marschall
In reply to this post by Jean-Michel Pouré - GOOZE
Hi,

On Tuesday, 23. August 2011, Jean-Michel Pouré - GOOZE wrote:
> Do you also plan to build daily packages as well?

No,
publishing the repo was meant as a hint & help for the Debian maintainers to
update the official Debian opensc package.

Best
Peter

--
Peter Marschall
[hidden email]
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel