#998156 contains non-DFSG-free files

Package:
mlton
Source:
mlton
Submitter:
Ryan Kavanagh
Date:
2022-01-04 17:51:15 UTC
Severity:
serious
Tags:
#998156#5
Date:
2021-10-31 03:34:16 UTC
From:
To:
Since at least oldoldoldstable, the mlton sources have included non-free files.
In particular, the tarball lib/ckit-lib/ckit.tgz contains the files
ckit/src/parser/util/error.sml and ckit/src/parser/util/error-sig.sml.  These
files are:

(*
 * Copyright (c) 1996 by Satish Chandra, Brad Richards, Mark D. Hill,
 * James R. Larus, and David A. Wood.
 *
 * Teapot is distributed under the following conditions:
 *
 *     You may make copies of Teapot for your own use and modify those copies.
 *
 *     All copies of Teapot must retain our names and copyright notice.
 *
 *     You may not sell Teapot or distributed Teapot in conjunction with a
 *     commercial product or service without the expressed written consent of
 *     the copyright holders.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 *
 *)

The restriction on distribution in conjunction with a commercial product
or service is in violation of point 6 of the DFSG.

See also the related bug against SML/NJ:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998154
#998156#10
Date:
2021-10-31 17:01:34 UTC
From:
To:
As far as I know, the ckit stuff is just included because it needed
some tweaks to work under MLton.
I don't think that any of "our" stuff depends on it.
I would think that the right solution would be to move it into a
separate package, and that package
would be part of the "non-free" world in Debian.

Matthew: am I correct?
#998156#15
Date:
2021-10-31 17:01:34 UTC
From:
To:
As far as I know, the ckit stuff is just included because it needed
some tweaks to work under MLton.
I don't think that any of "our" stuff depends on it.
I would think that the right solution would be to move it into a
separate package, and that package
would be part of the "non-free" world in Debian.

Matthew: am I correct?
#998156#20
Date:
2021-10-31 17:41:01 UTC
From:
To:
That would work from my point of view.

While we're discussing non-free files, I've found the following
problematic source files so far. Is there anything to indicate that they
can be distributed at all, let alone under the HPND or some other free
license? They're all benchmarks, so they could probably be dropped
without too much impact...

* benchmark/tests/md5.sml:
  Copyright (C) 2001 Daniel Wang. All rights reserved.

  The "All rights reserved" bit and the lack of any licensing
  information makes me skeptical that the file can be distributed at
  all. It could be replaced by Tom7's implementation if you want a
  crypto benchmark:
https://github.com/LenaWil/tom7/tree/master/sml-lib/crypt/MD5

* benchmark/tests/DATA/chess.gml:
  Copyright Leif Kornstaedt, 2000

  This looks like it was taken from an ICFP programming content
  submission, with no clear licensing information:
https://www.ps.uni-saarland.de/helikopter/2000/

* benchmark/tests/zern.sml
  COPYRIGHT (c) 1998 D.McClain/MCFA

  This looks like it was taken from
https://web.archive.org/web/20010215003107/http://www.azstarnet.com/~dmcclain/LanguageStudy.html
  with no clear licensing information.

I'll update this bug report with any other files I find.

Best,
Ryan
#998156#25
Date:
2021-10-31 23:00:47 UTC
From:
To:
Again, I don't think that that is anything used either in MLton
construction or use.
I would tink that if the license can be found and is good enough, like
the ckit stuff, it could go in
a MLton non-free package.  Otherwise, I guess just remove it.
Matthew?
#998156#30
Date:
2021-11-01 13:34:35 UTC
From:
To:
* Henry Cejtin:

I think mlnffigen needs ckit.
#998156#35
Date:
2021-11-01 14:28:28 UTC
From:
To:
(I assume you meant ml-nlffigen.)  ml-nlffigen is part of SML/NJ, not
part of MLton.
#998156#40
Date:
2021-11-01 17:04:08 UTC
From:
To:
* Henry Cejtin:

/usr/bin/mlnlffigen is part of mlton-tools.

I believe the code generation requirements are different for MLton and
SML/NJ.
#998156#45
Date:
2021-11-01 19:55:11 UTC
From:
To:
Your right, but I think (not on the basis of real knowledge) that
ml-nlffigen isn't used in either the compilation
of the MLton compiler, nor by the MLton compiler in compiling user
code.  I thought that it was
for a MLton compiler user to use, and had been tweaked so that the
output was usable by MLton.

I certainly could be wrong about this.
#998156#50
Date:
2021-11-02 22:50:19 UTC
From:
To:
Henry is correct that the MLton compiler (the runtime, basis library
implementation, and compiler proper) do not depend on ckit (or any of the
(re)distributed SML/NJ libraries), the benchmarks, or on mlnlffigen, nor
are those components required for using MLton (unless, of course, the
program being compiled explicitly references them).  If Debian wants to
carve up the packages for MLton in a different way, then that seems fine,
but I'm not inclined to do serious rearrangements of the GitHub repository
or of the source releases that we (upstream) package.  I appreciate the
licensing issue, but consider it fairly low stakes for decades old code.

Florian is correct that MLton has packaged mlnlffigen both out of
convenience (as we have packaged mllex and mlyacc) for users and because
MLton requires the tool to generate slightly different code.
#998156#55
Date:
2021-11-18 18:44:21 UTC
From:
To:
Has there ben any progress on getting MLton packaged for Debian?
Is there anything I can do to help?

I haven't seen anything since Matthew Fluet's response.
#998156#60
Date:
2021-11-18 19:02:14 UTC
From:
To:
Yes. The sticking point is that mlton requires itself or smlnj to
compile itself. The current version of mlton in the archives has been
uninstallable for years, so I've been trying to use smlnj to bootstrap
mlton. This has required some changes to the source and it's still not
completely there.

The right path forward is probably for me to file an issue against the
Github mlton project, and then we can discuss fixing the
smlnj-to-bootstrap-mlton issues there.

Ryan
#998156#67
Date:
2022-01-04 17:49:20 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mlton, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 998156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryan Kavanagh <rak@debian.org> (supplier of updated mlton package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 04 Jan 2022 09:12:48 -0500
Source: mlton
Architecture: source
Version: 20210117+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Ryan Kavanagh <rak@debian.org>
Changed-By: Ryan Kavanagh <rak@debian.org>
Closes: 943118 992099 995467 998156
Changes:
 mlton (20210117+dfsg-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #992099)
   * Repack sources to remove non-DFSG files (Closes: #998156)
     + Extract and apply upstream patches to all nested tarballs while we are
       at it
     + Patch sources to handle missing non-DFSG-free files, 07_DFSG.diff
     + Disable installing mlnlffigen: it requires non-DFSG-free ckit-lib to build
   * Changes to patches:
     + Drop ppc64el.patch: applied upstream
     + Drop linux-pic.diff: no longer needed to successfully compile on amd64
     * Drop stack-hardening.diff: pass in flags via debian/rules instead
     + Rename patches to make application order obvious
     + Add DEP3 headers to all patches
   * Overhaul control file:
     + Move Homepage field from binary stanzas to source stanza
     + Use substvars to eliminate description duplication
     + Split Build-Depends into Build-Depends-Arch/Build-Depends-Indep
     + Drop alternative dependency on mlton-runtime, which has not existed
       since forever
     + Drop build-dependency on quilt and on procps
     + Drop breaks against mlton version now in oldoldoldstable
     + Added Vcs-* tags
     + Drop versioned Build-Depends-Arch on binutils and gcc for mips/mipsel:
       no longer needed
     + Set Rules-Requires-Root: no
     + Bump standards version to 4.6.0
   * Changes to documentation:
     + Updated README.Debian to reflect current mlton requirements
     + Added a README.source to describe repacking and bootstrapping process
   * Set myself as maintainer (Closes: #995467)
   * Documentation-related changes:
     + The mlton guide does not currently build. Temporarily disable building
       it for the sake of getting a working mlton compiler back in the archive
     + Temporarily disable installation of mllex and mlyacc guides
     + Documentation requires a build-dependency on python3-pygments instead of
       python-pygments (Closes: #943118)
     + Reintroduce build-dependency on dblatex
     + Install upstream changelog and readme.
   * Changes to package build process:
     + Switch from CDBS to debhelper
     + Set compat to 13 via debhelper-compat
     + Don't fetch resources from Github during build, 06_local_docs.diff
     + Remember to clean generated files under .cm/
     + Don't automatically run tests during build, 08_postpone_tests.diff
     + Add target to install arch-indep libraries, 09_install-indep.diff, and
       call it from rules
     + dh_missing should ignore
       - files for arch-dependent packages when building
         arch-independent packages
       - upstream license files usr/share/doc/mlton/license/*
   * Update copyright file and switch to DEP5 format
Checksums-Sha1:
 2533e0ae23c88ba148e775652f661c6cedebd3df 4797 mlton_20210117+dfsg-1.dsc
 f447e617f0d383826dbd06b731358e326bfca123 13851708 mlton_20210117+dfsg.orig.tar.gz
 5a90cc44801f4b164cd3d2f2edef5bf990ee368e 20076 mlton_20210117+dfsg-1.debian.tar.xz
 45f293e0d2a214f2b5e799ac3486c99cd9e2143c 11644 mlton_20210117+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 9e7a5e3e2511e56708c8ea39efa1ffb6cb8314be50d89316da1f4a3ac4eb1aed 4797 mlton_20210117+dfsg-1.dsc
 bd9949c2163415fe3094a4468ee8bf0dc96ace69d4b412ed25c8a307e5a81204 13851708 mlton_20210117+dfsg.orig.tar.gz
 8fd8d7d99ce02449e48a5bfe179f052f1ddfb2b4782cb0182aa0bfdac9f1923d 20076 mlton_20210117+dfsg-1.debian.tar.xz
 e013f5b886b01fe8518f008135645bf4211e0ae681997a0c6a442b219760d3d9 11644 mlton_20210117+dfsg-1_amd64.buildinfo
Files:
 2d11f6746570171cca7f4bfb1e2949dd 4797 devel optional mlton_20210117+dfsg-1.dsc
 dedc865ff2de40c71dac93459b154385 13851708 devel optional mlton_20210117+dfsg.orig.tar.gz
 8dd8e4ebba498581cf85d25f70b52f8e 20076 devel optional mlton_20210117+dfsg-1.debian.tar.xz
 28435817f04b51f6e7a4b26f958a64ab 11644 devel optional mlton_20210117+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEP7FHOW9as2zJ9q6CWXuniu1D+jAFAmHUfNwPHHJha0BkZWJp
YW4ub3JnAAoJEFl7p4rtQ/owgccQAIt08pM094yTj+UWfzyoMGOGecd6AXeWfr8a
3Qr1KDPxnSRhTDs0DMRVN0r1+Iro/dom1tQy3ncV05cXXeeCMNEp6OsQTovpXYRH
8KtsgZo3QpRuZ68mwcLoTbuXAmpndaanhHpczhh+3QpO+EOf0zKXkulJybiX+4DB
IkVGTBdeaZKZrb0C3M+9uK6p5tFvlpseutkn5lcKn00UUOPp6DRT/xtICG31u5eU
DXOy3ymdrSIy8IZpjxrY2qM7Rlph6/0PxHRc7eYHU0mcClOM5UV+xPnYq0NXo2UZ
KR5kdGSOrqFqU35uJFRPFViySGyMA9YRDNSxSlrzONAXLEufG8UP3aBPZzc34cX5
w+15pIfmdqC9GymFI6x5n0IM3mfKZRjqnZTDoN6Ov7+jNZB7AeA1Xwq41Gru2fC4
WIlzpOqs2YeyMHZuZHIGwRPA2Rh//Q7IHP3uTABiMi8/Ivm0CkH84ZB6aU0MMurF
9S6IrKXrWG3mXg3UOKBev31PbHo9dINQ1A3S2X7Y/XgTo0N+NfKCGkGpvZ0T+dCp
wUSKeLkx1ltpwigIlNwCRZyfNgrzRumfsS3j5Z6YD0Ap230QxK7rRgB5svaNk3IK
lIeOQ0z67wHmAdwjjezPCBJ7kJP6PxyNR8xhUBnVC1JIwglD5reCPlqu6x6E1r3E
zDKM/Kap
=zX5m
-----END PGP SIGNATURE-----