|
Home > Archive > Debian Developers > August 2005 > RFS: libssh - SSH and SCP library
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
RFS: libssh - SSH and SCP library
|
|
| Jean-Philippe Garcia Ballester 2005-07-04, 5:58 pm |
| Hi everybody,
I'm looking for a sponsor for the libssh package :
* Package name : libssh
Version : 0.11
Upstream Author : "Aris Adamantiadis" <aris@0xbadc0de.be>
* URL : http://www.0xbadc0de.be/?part=libssh
* License : LGPL
Description : SSH and SCP library
The ssh library was designed to be used by programmers needing a
working SSH implementation by the mean of a library. The complete
control of the client is made by the programmer.
With libssh, you can remotely execute programs, transfer files, use a
secure and transparent tunnel for your remote programs. With its
Secure FTP implementation, you can play with remote files easily,
without third-party programs others than libcrypto
The package can be downloaded at http://dgnr.free.fr/repository, or
with apt-get with "deb http://dgnr.free.fr/ repository/"
Thanks,
Jean-Philippe Garcia Ballester
| |
| Junichi Uekawa 2005-07-04, 8:51 pm |
|
Hi,
> The package can be downloaded at http://dgnr.free.fr/repository, or
> with apt-get with "deb http://dgnr.free.fr/ repository/"
=46rom the look of it, your packaging looks wrong.
You're probably creating a package that ignores SONAME versioning.
--- libssh-0.11.orig/debian/shlibs.local
+++ libssh-0.11/debian/shlibs.local
@@ -0,0 +1 @@
+liblibssh 0.11 libssh (>> 0.11-0), libssh (<< 0.11-99)
regards,
junichi
--=20
Junichi Uekawa, Debian Developer http://www.netfort.gr.jp/~dancer/
183A 70FC 4732 1B87 57A5 CE82 D837 7D4E E81E 55C1=20
| |
| Jean-Philippe Garcia Ballester 2005-07-05, 7:54 am |
| On Tue, Jul 05, 2005 at 10:37:00AM +0900, Junichi Uekawa wrote :
>
> Hi,
>
>
> From the look of it, your packaging looks wrong.
> You're probably creating a package that ignores SONAME versioning.
I'm not exactly sure to completely understand what you meant, since I'm
only a beginner, but I tried to correct it. Could you please check it
again?
Thanks anyway for your help
>
>
> --- libssh-0.11.orig/debian/shlibs.local
> +++ libssh-0.11/debian/shlibs.local
> @@ -0,0 +1 @@
> +liblibssh 0.11 libssh (>> 0.11-0), libssh (<< 0.11-99)
--
Jean-Philippe Garcia Ballester
| |
| Junichi Uekawa 2005-07-05, 7:54 am |
| Hi,
>
> I'm not exactly sure to completely understand what you meant, since I'm
> only a beginner, but I tried to correct it. Could you please check it
> again?
> Thanks anyway for your help
I have two comments:
1. It's linking with openssl, and claiming to be LGPL, which
I understand to be incompatible.
2. I think the upstream either doesn't care or much understand
shared library versioning; it's a nascent shared library which
will undergo several revisions of ABI/API changes.
I would consider calling its SONAME 'libssh.so.0' to be
something prone to failure.
[vbcol=seagreen]
A F.A.Q. I assembled for shared libraries in Debian is available here,
it might help you as a starting point:
http://www.netfort.gr.jp/~dancer/co...bpkg-guide.html
regards,
junichi
--
Junichi Uekawa, Debian Developer http://www.netfort.gr.jp/~dancer/
183A 70FC 4732 1B87 57A5 CE82 D837 7D4E E81E 55C1
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Josselin Mouette 2005-07-05, 7:54 am |
| Le mardi 05 juillet 2005 =E0 20:26 +0900, Junichi Uekawa a =E9crit :
> Hi,
>=20
>=20
>=20
> I have two comments:
>=20
> 1. It's linking with openssl, and claiming to be LGPL, which=20
> I understand to be incompatible.
It is compatible.
> 2. I think the upstream either doesn't care or much understand=20
> shared library versioning; it's a nascent shared library which=20
> will undergo several revisions of ABI/API changes.
> I would consider calling its SONAME 'libssh.so.0' to be=20
> something prone to failure.
Yes, it would have to be called libssh-0.11.so.0. libtool can do that
with the -release flag.
--=20
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
| |
| Jean-Philippe Garcia Ballester 2005-07-05, 5:57 pm |
| On Tue, Jul 05, 2005 at 08:26:25PM +0900, Junichi Uekawa wrote :
> Hi,
>
>
>
> I have two comments:
>
> 1. It's linking with openssl, and claiming to be LGPL, which
> I understand to be incompatible.
>
I assume that linking with libcrypto.so and not libssl.so does not
change the problem?
I'll talk to upstream about that, and see if he could add an exception
for linking with openssl, as said in the openssl faq.
>
> 2. I think the upstream either doesn't care or much understand
> shared library versioning; it's a nascent shared library which
> will undergo several revisions of ABI/API changes.
> I would consider calling its SONAME 'libssh.so.0' to be
> something prone to failure.
What I don't understand is that "objdump -p /usr/lib/libssh.so.0 | grep
SONAME" returns 'libssh.so.0'. Doesn't this mean its SONAME is
'libssh.so.0'? If it does, where is the problem?
I set the shared library version to 0.0.0 since it's the first debian
package release.
I was planning to version next release 1.0.0, since interfaces will be
removed and since it will break backward compatibility, independantly
of the version number upstream will give to his release. Is this wrong?
>
>
> A F.A.Q. I assembled for shared libraries in Debian is available here,
> it might help you as a starting point:
> http://www.netfort.gr.jp/~dancer/co...bpkg-guide.html
This and libtool-doc package has been very useful.
I am very grateful for all your help.
--
Jean-Philippe Garcia Ballester
| |
| Josselin Mouette 2005-07-05, 5:57 pm |
| Le mardi 05 juillet 2005 =E0 16:34 +0200, Jean-Philippe Garcia Ballester a
=E9crit :
>=20
> I assume that linking with libcrypto.so and not libssl.so does not
> change the problem?
> I'll talk to upstream about that, and see if he could add an exception
> for linking with openssl, as said in the openssl faq.
There is no need for an exception for LGPL software.
> What I don't understand is that "objdump -p /usr/lib/libssh.so.0 | grep
> SONAME" returns 'libssh.so.0'. Doesn't this mean its SONAME is
> 'libssh.so.0'? If it does, where is the problem?
> I set the shared library version to 0.0.0 since it's the first debian
> package release.
> I was planning to version next release 1.0.0, since interfaces will be
> removed and since it will break backward compatibility, independantly
> of the version number upstream will give to his release. Is this wrong?
It is wrong, because upstream can decide at some point in the future
that the ABI is stable, and then start to call it libssh.so.0 or
libssh.so.1. It is much safer to use libtool' -release flag, so that it
is called libssh-$VERSION.so.0. To achieve that, just use something like
this in Makefile.am:
UP_VERSION=3D$(something that returns 0.11, the current version)
libssh_la_LDFLAGS =3D -release $(UP_VERSION)
Regards,
--=20
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
| |
| Jean-Philippe Garcia Ballester 2005-07-05, 5:57 pm |
| On Tue, Jul 05, 2005 at 04:34:42PM +0200, Jean-Philippe Garcia Ballester wrote :
> On Tue, Jul 05, 2005 at 08:26:25PM +0900, Junichi Uekawa wrote :
>
> I assume that linking with libcrypto.so and not libssl.so does not
> change the problem?
> I'll talk to upstream about that, and see if he could add an exception
> for linking with openssl, as said in the openssl faq.
>
>
> What I don't understand is that "objdump -p /usr/lib/libssh.so.0 | grep
> SONAME" returns 'libssh.so.0'. Doesn't this mean its SONAME is
> 'libssh.so.0'? If it does, where is the problem?
I misread you. Forget what I said.
> I set the shared library version to 0.0.0 since it's the first debian
> package release.
> I was planning to version next release 1.0.0, since interfaces will be
> removed and since it will break backward compatibility, independantly
> of the version number upstream will give to his release. Is this wrong?
>
>
> This and libtool-doc package has been very useful.
> I am very grateful for all your help.
>
--
Jean-Philippe Garcia Ballester
| |
| Jean-Philippe Garcia Ballester 2005-07-05, 5:57 pm |
| On Tue, Jul 05, 2005 at 04:39:14PM +0200, Josselin Mouette wrote :
> Le mardi 05 juillet 2005 ? 16:34 +0200, Jean-Philippe Garcia Ballester a
> ?crit :
>
> There is no need for an exception for LGPL software.
>
>
> It is wrong, because upstream can decide at some point in the future
> that the ABI is stable, and then start to call it libssh.so.0 or
> libssh.so.1. It is much safer to use libtool' -release flag, so that it
> is called libssh-$VERSION.so.0. To achieve that, just use something like
> this in Makefile.am:
>
> UP_VERSION=$(something that returns 0.11, the current version)
> libssh_la_LDFLAGS = -release $(UP_VERSION)
>
I see your point. I tried to fix that. Hope I didn't do it wrong
(again). If someone could check...
Should the package name contain the version number? (like the libssl
packages)
Thanks for your help.
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Josselin Mouette 2005-07-05, 5:57 pm |
| Le mardi 05 juillet 2005 à 18:27 +0200, Jean-Philippe Garcia Ballester a
écrit :
> I see your point. I tried to fix that. Hope I didn't do it wrong
> (again). If someone could check...
I don't understand your modifications. There are differences in the
Makefile.in and configure files, but no differences in the Makefile.am
and configure.ac files. Also, I don't understand the shlibs.local file.
> Should the package name contain the version number? (like the libssl
> packages)
Yes, it should be called libssh-0.11-0.
Regards,
--
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
| |
| Jean-Philippe Garcia Ballester 2005-07-05, 8:48 pm |
| On Tue, Jul 05, 2005 at 07:34:37PM +0200, Josselin Mouette wrote :
> Le mardi 05 juillet 2005 ? 18:27 +0200, Jean-Philippe Garcia Ballester a
> ?crit :
>
> I don't understand your modifications. There are differences in the
> Makefile.in and configure files, but no differences in the Makefile.am
> and configure.ac files. Also, I don't understand the shlibs.local file.
>
The modifications in Makefile.in were made to change the SONAME and
filename of the library (now libssh-0.11.so.0).
I don't remember changing anything in the configure file.
There is indeed no changes in Makefile.am and configure.ac files since
they don't exist.
The shlibs.local was designed to be the shlibs file for the package, but
was useless since the shlibs file used is the one created by
dh_makeshlibs.
>
> Yes, it should be called libssh-0.11-0.
I'd rather call it libssh0.11 or libssh-0.11, since the -0 is the
package version number (I took the libssl0.9.7 package as example :
package name is libssl0.9.7, package version is 0.9.7g-1, and package
filename is libssl0.9.7_0.9.7g-1_i386.deb).
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Jean-Philippe Garcia Ballester 2005-07-06, 7:53 am |
| On Tue, Jul 05, 2005 at 10:24:29PM +0200, Jean-Philippe Garcia Ballester wrote :
> On Tue, Jul 05, 2005 at 07:34:37PM +0200, Josselin Mouette wrote :
>
> The modifications in Makefile.in were made to change the SONAME and
> filename of the library (now libssh-0.11.so.0).
I also did some modifications for creating both shared and static
library, and installing files correctly.
> I don't remember changing anything in the configure file.
The modifications in configure file were made since the upstream
compiled an example binary which I think has nothing to do in the
package.
> There is indeed no changes in Makefile.am and configure.ac files since
> they don't exist.
> The shlibs.local was designed to be the shlibs file for the package, but
> was useless since the shlibs file used is the one created by
> dh_makeshlibs.
>
>
> I'd rather call it libssh0.11 or libssh-0.11, since the -0 is the
> package version number (I took the libssl0.9.7 package as example :
> package name is libssl0.9.7, package version is 0.9.7g-1, and package
> filename is libssl0.9.7_0.9.7g-1_i386.deb).
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Junichi Uekawa 2005-07-06, 8:48 pm |
|
Hi,
>
> I'd rather call it libssh0.11 or libssh-0.11, since the -0 is the
> package version number (I took the libssl0.9.7 package as example :
> package name is libssl0.9.7, package version is 0.9.7g-1, and package
> filename is libssl0.9.7_0.9.7g-1_i386.deb).
You are looking at the wrong part of the wrong package,
because libssl is one of the few exceptional packages which
really do have that soname,
$ objdump -p /usr/lib/libssl.so.0.9.7 | grep SONAME
SONAME libssl.so.0.9.7
Call your package libssh-0.11-0.
Quoting from the libpkg-guide (which itself is a quote from vorlon)
I pointed out to you and you probably have not read yet:
$ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | sed -e's/\([0-9]\)\.so\./\1-/; s/\.so\.//'
regards,
junichi
--
Junichi Uekawa, Debian Developer http://www.netfort.gr.jp/~dancer/
183A 70FC 4732 1B87 57A5 CE82 D837 7D4E E81E 55C1
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Jean-Philippe Garcia Ballester 2005-07-07, 5:58 pm |
| On Thu, Jul 07, 2005 at 08:36:39AM +0900, Junichi Uekawa wrote :
>
> Hi,
>
>
> You are looking at the wrong part of the wrong package,
> because libssl is one of the few exceptional packages which
> really do have that soname,
>
>
> $ objdump -p /usr/lib/libssl.so.0.9.7 | grep SONAME
> SONAME libssl.so.0.9.7
>
>
>
> Call your package libssh-0.11-0.
This has been corrected. I assume the -0 part is the SONAME major version?
Is there any other mistake?
>
> Quoting from the libpkg-guide (which itself is a quote from vorlon)
> I pointed out to you and you probably have not read yet:
>
> $ objdump -p /path/to/libfoo-bar.so.1.2.3 | sed -n -e's/^[[:space:]]*SONAME[[:space:]]*//p' | sed -e's/\([0-9]\)\.so\./\1-/; s/\.so\.//'
I read it, but my not-so-good english and my lack of sleep made me
misunderstand a lot of things (in this thread and in the guide you
mention). Sorry about that.
I am very grateful for the help you've given and time you spend for me.
Even if this package is not perfect, and if I don't find a sponsor in
the end, I at least learnt a lot of things.
Regards
--
Jean-Philippe Garcia Ballester
| |
| Josselin Mouette 2005-07-07, 5:58 pm |
| Le vendredi 08 juillet 2005 à 06:46 +0900, Junichi Uekawa a écrit :
>
> Are you sure?
> People were running around GPL is not compatible with
> openssl license; and LGPL has a option to make the
> code GPL.
The point of the LGPL is to avoid such incompatibilities. If you can
link it with proprietary code, you can also link it to code under the
OpenSSL license.
That said, I think too we should favor libgcrypt, because it has a
lighter security record.
--
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
| |
| Junichi Uekawa 2005-07-07, 5:58 pm |
| Hi,
>
> It is compatible.
Are you sure?
People were running around GPL is not compatible with
openssl license; and LGPL has a option to make the
code GPL.
Note that it's:
libssl = GPL
libcrypto = openssl license
Jean:
I'd ask upstream to use libgcrypt; gcrypt release engineering
is not my favorite, since they seem to change SONAME
quite often, but at least it's under GPL;
and everythingg libssl needs is there.
regards,
junichi
--
Junichi Uekawa, Debian Developer http://www.netfort.gr.jp/~dancer/
183A 70FC 4732 1B87 57A5 CE82 D837 7D4E E81E 55C1
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Jean-Philippe Garcia Ballester 2005-07-08, 7:49 am |
| On Thu, Jul 07, 2005 at 11:56:51PM +0200, Josselin Mouette wrote :
> Le vendredi 08 juillet 2005 ? 06:46 +0900, Junichi Uekawa a ?crit :
>
> The point of the LGPL is to avoid such incompatibilities. If you can
> link it with proprietary code, you can also link it to code under the
> OpenSSL license.
>
> That said, I think too we should favor libgcrypt, because it has a
> lighter security record.
I mailed him about that and SONAME versionning.
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Gustavo Noronha Silva 2005-07-09, 7:47 am |
| Hey,
Em Ter, 2005-07-05 Ã_s 10:37 +0900, Junichi Uekawa escreveu:
> --- libssh-0.11.orig/debian/shlibs.local
> +++ libssh-0.11/debian/shlibs.local
> @@ -0,0 +1 @@
> +liblibssh 0.11 libssh (>> 0.11-0), libssh (<< 0.11-99)
I don't get the << 0.11-99. Why would you add this?
See ya,
--
kov@debian.org: Gustavo Noronha <http://people.debian.org/~kov>
Debian: <http://www.debian.org> * <http://www.debian-br.org>
| |
| Jean-Philippe Garcia Ballester 2005-07-09, 7:48 am |
| On Fri, Jul 08, 2005 at 02:32:27PM +0200, Jean-Philippe Garcia Ballester wrote :
> On Thu, Jul 07, 2005 at 11:56:51PM +0200, Josselin Mouette wrote :
>
> I mailed him about that and SONAME versionning.
I got his reply. As Junichi thought, he doesn't know about SONAME
versionning. I pointed to him chapter 6 of the libtool manual.
He said he's only using "basic cryptographic stuff from libcrypto,
which are less likely to have security problems." As he has been
approved by google's "Summer of Code", the next two months' work will
only be functionnality adds. Changing cryptographic library is not a
priority, but at queue of the TODO.
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Peter Samuelson 2005-07-10, 2:52 am |
|
[Gustavo Noronha Silva]
>
> I don't get the << 0.11-99. Why would you add this?
I imagine he meant (<< 0.12). On the theory that since upstream is
using 0.11 as the soname, upstream 0.12 will probably be incompatible.
| |
| Junichi Uekawa 2005-07-10, 2:52 am |
|
Hi,
>
> The point of the LGPL is to avoid such incompatibilities. If you can
> link it with proprietary code, you can also link it to code under the
> OpenSSL license.
Hmm... you can use a LGPL library, but a LGPL library cannot use
a non-compliant library. That's how LGPL exception works.
regards,
junichi
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Junichi Uekawa 2005-07-10, 2:52 am |
| > > > That said, I think too we should favor libgcrypt, because it has a
>
> I got his reply. As Junichi thought, he doesn't know about SONAME
> versionning. I pointed to him chapter 6 of the libtool manual.
> He said he's only using "basic cryptographic stuff from libcrypto,
> which are less likely to have security problems." As he has been
> approved by google's "Summer of Code", the next two months' work will
> only be functionnality adds. Changing cryptographic library is not a
> priority, but at queue of the TODO.
You could do that kind of dirty work for him;
I think that's essential for inclusion into Debian archive.
Here's a link to a related work I've done before, which might
be helpful:
http://kerneltrap.org/mailarchive/1...ge/53065/thread
regards,
junichi
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Josselin Mouette 2005-07-12, 7:56 am |
| Le dimanche 10 juillet 2005 =E0 14:01 +0900, Junichi Uekawa a =E9crit :
>=20
> Hmm... you can use a LGPL library, but a LGPL library cannot use=20
> a non-compliant library. That's how LGPL exception works.
Quite untrue. The LGPL doesn't make any difference between those two
cases.
Regards,
--=20
.''`. Josselin Mouette /\./\
: :' : josselin.mouette@ens-lyon.org
`. `' joss@debian.org
`- Debian GNU/Linux -- The power of freedom
| |
| Junichi Uekawa 2005-07-12, 5:57 pm |
| Hi,
>
> Quite untrue. The LGPL doesn't make any difference between those two
> cases.
>
But that will disallow one option that should be granted through
the use of LGPL: the option to use GPL.
regards,
junichi
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Peter Makholm 2005-07-12, 5:57 pm |
| Junichi Uekawa <dancer@netfort.gr.jp> writes:
>
> But that will disallow one option that should be granted through
> the use of LGPL: the option to use GPL.
Not really. You can still take libssh and mak a derived work of it
using GPL as you license. One thing you have to do is to replace the
depencies of openssl with libcrypt.
--
Peter Makholm | Sit back and watch the messages. This is actually
peter@makholm.net | more important than one might think as there is a
http://hacking.dk | bug in GNU Mach whereby hitting a key during the
| boot process causes the kernel to panic
| -- GNU Hurd Installation Guide
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Jean-Philippe Garcia Ballester 2005-08-13, 5:51 pm |
| On Sun, Jul 10, 2005 at 02:04:32PM +0900, Junichi Uekawa wrote :
>
> You could do that kind of dirty work for him;
I've started doing it. It's a bit difficult since I knew nothing about
cryptography, but it's nearly finished. The main problem is that
upstream use libcrypto functions for reading DSA and RSA private key
files that have no equivalent in libgcrypt. I've started to look
libcrypto source to see how they work, but it seems complicated. Should
I try to understand libcrypto code and adapt it to libssh?
Regards,
--
Jean-Philippe Garcia Ballester
| |
| Jean-Philippe Garcia Ballester 2005-08-29, 6:00 pm |
| Hi,
>
> Considering they should be really necessary for decent crypto;
> I would dig up code from the existing ssh implementations.
By using libcrypto code and websites, I managed to rewrite the code that
was missing. Hope I didn't do this to ugly.
I updated my packages (deb http://dgnr.free.fr/ repository/)
So I ask for RFS again, if nobody complains about it.
Regards,
--
Jean-Philippe Garcia Ballester
|
|
|
|
|