I am looking for a sponsor for my package "mbedtls":
* Package name : mbedtls
Version : 2.28.0-0.1
However, I have already packaged v3.0.0. It's not been uploaded yet
because it fails some tests intermittently, and I am in discussion
with upstream about why this only happens sometimes. That has been
stalled for a while so maybe I should just upload this 2.28, but it
might be worth me giving them a prod and us waiting another week or so
to see if v3.0.0 will happen?
(correct me if I'm wrong, but I believe that using Apache-2.0 libraries in GPLIt depends on the version of the GPL at play. If it's GPL 3.0 (or
software is not allowed).
MbedTLS is usually released under the terms of the Apache 2.0 license,Indeed, sticking to LTS releases may be quite important for this reason
while LTS versions are licensed under the Apache-2.0 OR
GPL-2.0-or-later, a thing that many users really appreciate
Il giorno sab 8 gen 2022 alle 01:52:47 +0000, Wookey <wookey@wookware.org>
ha scritto:
However, I have already packaged v3.0.0. It's not been uploaded yet
because it fails some tests intermittently, and I am in discussion
with upstream about why this only happens sometimes. That has been
stalled for a while so maybe I should just upload this 2.28, but it
might be worth me giving them a prod and us waiting another week or so
to see if v3.0.0 will happen?
Hi, thank you for your reply! I have not packaged 3.0.0 myself because it is not an LTS release, and I believe that packaging an LTS version is
preferable for how Debian releases work.
Also, packaging LTS versions is preferable for licensing issues. MbedTLS is usually released under the terms of the Apache 2.0 license, while LTS versions are licensed under the Apache-2.0 OR GPL-2.0-or-later
When the MbedTLS developers will release an LTS version of the 3.x branch I'll be happy to work on it, and we could help each other too - we could
even unofficially co-maintain the MbedTLS package starting from now, as the original maintainer has not responded to my emails in months...
OK. I had not appreciated that the LTS and dev versions have different licencing. I don't see how they can do that in practice. TheI honestly have no idea, but better safe than sorry.
requirement is to make all contributions under both apache-2 and GPl2-or-later, so surely that always applies to whatever is in the dev
repo, whether or not it is officially sanctioned as a dual-licenced
LTS release? (maybe they miss some non-GPL bits out of the LTS
releases?)
I don't actually use this code, so I'm very happy if you actually wantIf you're interested in helping out that's always welcome, but feel
to look after it without me sticking my oar in. But equally I can help
out too if you'd prefer to do it that way.
I just tested 3.1.0 and it has the same problem as 3.0.0 with testI believe I encountered this failures once, on my desktop pc, but then continued working on the package on my old laptop, that has a dual core
failures. So I'll pester upstream.
Hmm. And with your 2.28. That's interesting (maybe it's my sbuild
setup?):
The following tests FAILED:
79 - psa_crypto_persistent_key-suite (Failed)
82 - psa_crypto_slot_management-suite (Failed)
84 - psa_crypto_storage_format.current-suite (Failed)
85 - psa_crypto_storage_format.v0-suite (Failed)
86 - psa_its-suite (Failed)
Errors while running CTest
make[2]: *** [Makefile:74: test] Error 8
make[2]: Leaving directory '/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu' dh_auto_test: error: cd obj-x86_64-linux-gnu && make -j12 test ARGS\+=--verbose ARGS\+=-j12 returned exit code 2
We should probably take it off debian-mentors at this point toOps, guess we'll do it in another message :)
discuss the boring details
You changed the watch file to only look for updates to version 2.28,I took inspiration from the nginx packaging, as they do the same thing.
as opposed to updates in general.
So if I run uscan under 2.28 it tells me there are no updates, even
though 3.1.0 is available upstream.
I'm not sure if that's the right thing to do?
Even if we've decided that only LTS releases are going in debian, as a packager I still expect uscan to show me what's available?
Not sure if polcy has anything to say about this?
(also is it really better to rely on the github API than just
downloading files?)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 85:05:41 |
Calls: | 6,658 |
Calls today: | 4 |
Files: | 12,203 |
Messages: | 5,333,698 |
Posted today: | 1 |