Greg Freemyer
Per this bugzilla libcdio has been a problem for about 4 years
Thank you! This is exactly the information I was pointing to before and it seems to have the right time stamps also. The license problem has been discovered by Sun legal in Autumn 2006 and Spring 2007 was the time when we had the first working replacement code that was based on software with no license problems and that in addition removes the security related issued from libcdio. The replacement code is in libgstcdda2wav.so and it is based on calling "cdda2wav" via three pipes, so the need for being root is encapsuled inside the carefully audited cddawav code. Cdda2wav has been enhanced by a new option "-interactive" to permit to remotely control cdda2wav from libgstcdda2wav.so. Libcdio has not just a single problem, it is full of problems. Let me mention all problems that I am currently aware of: - It is under GPLv2 but it is usually called from LGPL code. If you belive in the idiosyncratic GPL interpretation from the FSF, this is a license combination that is impossible. Note that as libcdio is published by the FSF, there is a high risk of being sued... - It includes code from cdda2wav that is under "GPLv2 only" and that was relicensed without permission. This is a clear Copyright violation. - It combines code from various other projects that never has been developed for a library, so it is a piece of muck...from a software engineering perspective. - It's function is based on a Linux security bug. This security bug has been introduced around Spring 2004 by an inexperienced hacker that enhanced the "sg" driver without understanding how it prevented security related problems before. Before the change, you had to be root in order to be able to open the device node and then could send commands as normal user. After that change, any user could open the device and any user could send any SCSI command to any SCSI device. Instead of fixing the security problem, Linus Torvalds just made the security hole less wide open and limited the SCSI commands that could be send that way. This hacky way of dealing with a serious bug unfortunately introduced a Linux self incompatibility of the underlying interface and many problems arised in Linux from people who do not understand the results of that change. Libcdio thus requires the application that calls libcdio to have root privileges if is runs on a OS without that security issues. This however would usually result in being forced to run an X11 application as root which is seen as a serious security problem that should never happen. - After it became obvious in Spring 2001, that cdparanoia reached the end of it's development cyle, I decided to create "libparanoia" from the relevant parts of the code in April 2002 and Heiko Eißfeld and I integrated libparanoia calls into cdda2wav. The original code from cdparanoia did only work on Linux and it compiled only using GCC as it depends on non-standard language extensions from GCC. I took the code from cdparanoia and made it highly portable, converted it into clean C-code so it compiles with any C-compiler and I converted the interfaces to create a clean library interface. In February 2006, I kindly asked Monty (the original code author) for a less restrictive license than GPLv2 and I got the permission to convert my version of the code to LGPL-2.1 After the code in libparanoia was a clean library with a clean and permissive license and after many small bugs have been fixed in the code by me, some other prople decided to do a similar work - but they did not make the code portable, they did not remove the GCC specific code and they did not change the calling conventions, so their code is not reentrant and their code will not work with the Apple linker.... They called their "lib" libcdparanoia and this non-portable code (still under GPLv2) is used by libcdio instead of the libparanoia I created. So be careful when talking about libparanoia as there is a serious risk to confuse two very different results from the original cdrparanoia code.
Comment 26 says they moved it into a "ugly" directory but left it in.
https://bugzilla.gnome.org/show_bug.cgi?id=413705#c26
I have no other knowledge. I just decided to do a little googling.
The comment you refer to, is based on a missunderstanding. You don't have a solution for the underlying problems, see e.g. my explanations on libparanoia from above. Jörg -- EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin js@cs.tu-berlin.de (uni) joerg.schilling@fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org