I'm packaging greenmail, but the package review discovered that greenmail bundles some source from 2 other projects: Foedus and James. Greenmail is a fake e-mail server that intends to ease testing of things that need to talk to an e-mail server. The included source from the 2 projects has been heavily modified for this task and isn't usable as a real e-mail server nor by any other package.
I would like a bundling exception so I can complete my packaging efforts with greenmail.
At last week's meeting, FPC okay'd the use of foedus:
We were less sure about james and wanted the following information:
These changes have not been pushed upstream because they are useless to the upstream project. Similarly they would be useless to the maintainer of the James package in Fedora.
Could we make the forked version the canonical version within Fedora?
No. Greenmail only copies a portion of the James code base. Using the greenmail version of the copied code would result in a non-functional James e-mail server.
Are the changes useful to consumers other than the bundling application?
No. Greenmail is a library for testing applications that communicate with e-mail servers. It is only a fake e-mail server and can not operate as a real e-mail server.
Is upstream keeping the base library updated or are they continuously one or more versions behind the latest upstream release?
Upstream took a snapshot of code from James and is updating it independently for greenmail needs. I have attached a diff of the updates in the James identified code from greenmail 1.0-1.3.1b. Greenmail has never re-based to never versions of James nor does it appear they have included any changes from upstream.
What is the attitude of upstream towards bundling?
I sent an e-mail to upstream's mailing list, but haven't gotten a response yet. There hasn't been a message on the list since 2010 though.
Overview of the security ramifications of bundling
Low. Greenmail isn't a e-mail server nor does it require administrator access for anything. It is simply a test tool.
Does the maintainer of the Fedora package of the library being bundled have any comments about this?
James is not packaged in Fedora. There is an apache-james-project package, but this is not the full James source from upstream. It appears to only be some pom files.
Is there a plan for unbundling the library at a later time?
No. There is no use to upstream or Fedora in unbundling the james source.
Diff between Greenmail 1.0 & James 2.2.0
Diff of James modified source from Greenmail 1.0 -> 1.3.1b
The oldest release of greenmail with source I could find was 1.0, which had already included the James source. The copyright headers are dated 2006, which seemed to correspond well with James 2.2.0 or 2.3.0. I compared the bundled source with numerous James 2.1.x releases, 2,2.0, and 2.3.0 and 2.2.0 seems the most likely candidate. Most of the source file names are the same and the time line matches well with with copyright header dates. James 2.3.0 was released late 2006 and has a completely different set of files.
Additionally there are 5 files that identify themselves as being from the James source but I was unable to find anything similar in James 2.2.0. It's possible these files have incorrect header information or have been changed so much as to not resemble anything currently in 2.2.0. They are:
Relevant code diff
The straight source comparison produced a diff with a lot of noise (changes in comments, style changes, etc), so I attempted to remove all the noise and reduce the diff to just the changes in code that are relevant.
We started voting on this at the meeting but lacked quorum:
Proposal: greenmail's use of james is considered a fork and therefore allowed.
Thoughts from the meeting: james is an application (so wouldn't be directly usable). james is a real imap server, greenmail is a fake imap server for testing (so there's a difference in purpose). greenmail based work on an older release of james and has been making code changes to it ever since (so there's a large divergence).
+1 from me.
Remi's +1 makes 5:
Since both of these libraries were approved as forks, you can proceed with your packaging efforts and don't have to do anything special in the greenmail.
to comment on this ticket.