Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 26/03/17 01:01, Walter Landry wrote:
> Florian Weimer  wrote:
>>> #5 Declare GMP to be a system library.
>>>
>> (snip)
>>
>>> #5 was how Fedora looked at the OpenSSL library issue. Since Debian
>>> has another viewpoint on OpenSSL I somehow doubt we would use it for
>>> GMP.
>>
>> I would like to suggest to treat more libraries as eligible for the
>> system library exception within Debian.
> 
> The traditional interpretation as I understand it is that nothing
> Debian ships qualifies for the the system exception.  This is because
> Debian ships everything together, and the system exception only
> applies for components that do not accompany the executable.
> 

Debian ships everything together? Really?
Then why we need repositories and apt-get at all?


I think that any package that is essential for the base OS
(aka Priority: required) should qualify for the system exception.




signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 14:31, Ian Jackson wrote:
> Carlos Alberto Lopez Perez writes ("Re: System libraries and the GPLv2"):
>> However, I still don't understand why we don't just declare OpenSSL a
>> system library; or at least define a clear policy for when a package is
>> considered part of the base system (so the GPL system exception applies
>> to it).
> 
> I think the GPL system library exception does not apply for the
> benefit of anything on a DVD image.  Since we want downstreams to be
> able to make arbitrary DVD( image)s containing whatever bits (of main)
> that they like, and distribute them, we cannot rely on the system
> library exception for anything in Debian.
> 
> Ian.
> 

Let me you remember DFSG number 9 [1]:

* License Must Not Contaminate _Other_ Software

The license must not place restrictions on other software that is
distributed along with the licensed software. For example, the
license must not insist that all other programs distributed on the
same medium must be free software.

And also point you to my previous answer to Dmitry:

 https://lists.debian.org/debian-legal/2017/03/msg00042.html


Shipping a collection of software on a DVD doesn't make any of this
pieces of software a derivative works one of the other.


[1] https://www.debian.org/social_contract




signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 10:44, Jonas Smedegaard wrote:
> Quoting Carlos Alberto Lopez Perez (2017-03-30 05:08:24)
>> On 30/03/17 03:11, Clint Byrum wrote:
>>> Excerpts from Carlos Alberto Lopez Perez's message of 2017-03-30 02:49:04 
>>> +0200:
>>>> I understand that Debian wants to take a position of zero (or 
>>>> minimal) risk, and I also understand the desire to respect the 
>>>> interpretation of the FSF about the GPL (they don't think this two 
>>>> licenses are compatibles).
>>>>
>>>
>>> I believe that this is a fundamental difference between RedHat and 
>>> Debian.
>>>
>>> RedHat is going to do everything within the law and inside their 
>>> values for a profit. Their values don't include a strict adherence 
>>> to the wishes of copyright holders, but strict adherence to the law.
>>>
>>> But our values do include respect for copyright holder rights. So 
>>> while we can probably get away with this legally, it's been decided 
>>> (a few times?) that without the GPL licensor's consent, we can't in 
>>> good faith produce a combination of OpenSSL and a GPL program.
>>>
>>
>> Just a simple question:
>>
>> Do you (or anyone else) _really_ think the copyright holders of the 
>> GPL program in question had any intention ever of not allowing their 
>> program to be used along with OpenSSL, when they where the ones 
>> implementing support for using it on the first place?
> 
> Yes, I believe so.
> 
> As a concrete example, the Netatalk project has for many years released 
> code with plugins linking to OpenSSL, but has not added an exception.  
> Authors of Netatalk try to make a living out of commercial support for 
> their product, and I genuinely think it is in their interest to make it 
> possible to use strong crypto - for personal use - but not allow 
> redistribution of binaries with strong crypto.
> 
> 
>  - Jonas
> 

Do you have any link or resource that can back what you say here?

I didn't knew about the Netatalk project, but after Googling about this
issue I only see an upstream frustrated because they are unable to
re-license [1], as they are unable to contact all the contributors the
project has.

As you can imagine, any successfully open source project will accumulate
hundreds of contributors along the years (at least 17 years [2] in this
case). Contacting them may be simple just impossible (people change of
email address all the time, people also pass away, and people can just
simply ignore the mail because they are busy with some other stuff).

On top of that, the incentive to take into doing this hard work is not
very big, as either not all downstreams take this issue with the GPL and
OpenSSL as far as Debian, or they include OpenSSL as a system library.

I also see Netatalk was shipped until Fedora 23 with OpenSSL support!
[3], until it was retired because nobody cared to keep maintaining it [4].

IMHO: if your business model is to sell pre-built binaries with some
feature, its better that you keep this feature with the right license
that prohibits distributing it and forces everyone to build from
sources, rather than relying on some incompatibility between the GPL and
OpenSSL that is not going to stop anyone but Debian and its derivatives
from shipping it.


Regards
---

[1]
https://lists.debian.org/debian-legal/2004/08/msg00184.html
https://sourceforge.net/p/netatalk/feature-requests/33/
[2]
https://github.com/Netatalk/Netatalk/commit/31843674b7bd32eabcce3a1ad6159b4f94921f79#diff-cf45edbe4d45d61b0f0ce5e9eaeb38bcR82
[3]
http://pkgs.fedoraproject.org/cgit/rpms/netatalk.git/tree/netatalk.spec?h=f23#n84
[4]
http://pkgs.fedoraproject.org/cgit/rpms/netatalk.git/commit/?id=81611ededd7b668145715779723c60d84ef74003



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 21:09, Russ Allbery wrote:
> Lars Wirzenius  writes:
> 
>> Instead, I'll repeat that licenses shouldn't be violated. One way of
>> achieving that is to ask copyright holders for additional permissions
>> that are needed to avoid a violation.
> 
> The problem with this approach, though, is that many of us have tried this
> with GPL software that links against OpenSSL and have been told that we're
> being pedantic, wasting the maintainer's time, and they aren't going to
> include any such specific license grant because they're not lawyers,
> aren't going to mess with licenses, no one else has this problem, and
> Debian needs to pull the stick out of its ass.
> 
> Now one can just say "well, we don't want to package software from
> maintainers like that anyway," but often those people are perfectly
> reasonable on many other topics and quite good upstreams.  We are widely
> viewed as out of step with the community on this specific point, whether
> reasonably or unreasonably.
> 
> I'm not saying we're wrong, necessarily, but the way that Debian interacts
> with software licenses is truly not the way that nearly everyone else
> interacts with software licenses.  We have non-lawyers with no legal
> training read them carefully and attempt to apply their rules as if they
> were written in normal English, very precisely.  (In other words, we treat
> them like they're computer programs.)  Very, very few people outside of
> Debian do this.  Elsewhere, people largely divide into two camps: a quick
> skim looking for obvious issues followed by "meh, good enough," or review
> by an actual lawyer who is making a legal decision based on legal
> interpretation, case law, and a risk analysis.
> 
> I think we normally arrive at reasonable conclusions, but sometimes we do
> arrive at conclusions that neither of those other two camps reach, and
> then we can look oddly out of touch.
> 

Couldn't agree more with you.

Programmers shouldn't try to interpret corner cases on licenses,
or judge about license compatibility.

What the text of a license says is never interpreted word by word by a
lawyer or a tribunal. The intention is also very important.

And when you release a software that uses OpenSSL, there is a clear
intention in that fact that you allow to use OpenSSL. After all, you
have implemented support for it.

I think we should try to consult more with lawyers when we have doubts,
or when there is a disagreement about licenses in general.

It worked for the ZFSOnLinux case.
I think it can work also for this system library exception issue.

My 2 cents.



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 21:29, Don Armstrong wrote:
> On Thu, 30 Mar 2017, Carlos Alberto Lopez Perez wrote:
>> * License Must Not Contaminate _Other_ Software
> 
> A work which is a derivative work of another piece of software isn't
> merely distributed alongside.
> 
>> Shipping a collection of software on a DVD doesn't make any of this
>> pieces of software a derivative works one of the other.
> 
> Precisely. It only has bearing on whether the system library exception
> to derivative works applies.
> 

It should apply.

Fedora and RHEL ship also DVD images, and they do use this system
exception clause of the GPL for linking with OpenSSL.

If you are still not sure, lets consult this with a lawyer instead of
trying to argue about the wording of a license.



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 08:05, Andrey Rahmatullin wrote:
> On Wed, Mar 29, 2017 at 11:10:01PM +0200, Carlos Alberto Lopez Perez wrote:
>> Apache 2.0 is compatible with GPLv3 [1] (therefore also with GPLv2+).
> It's more complicated than "therefore also".
> Imagine a GPL2+ program library linked with a GPL2 library. Now also link
> this program with an Apache 2.0 library. What happens?
> 
I agree its more complicated. But usually what happens is this:

For several Linux distributions: nothing happens because they have
already declared OpenSSL a system library.

For Debian: the maintainer reports a bug to the author of the GPLv2
library so they add an exception to link with the OpenSSL. The upstream
maintainer either can't do that because its unable to contact every
author of the software or doesn't care and thinks this is a Debian
specific issue. The Debian maintainer either abandons here or takes into
the task of implementing a patch that uses libgcrypt or similar instead
of OpenSSL. It can happen that the Debian maintainer simply disables the
feature that uses OpenSSL (if that is an option)




signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 29/03/17 15:58, Dmitry Alexandrov wrote:
>> On 26/03/17 01:01, Walter Landry wrote:
>>> Florian Weimer  wrote:
> #5 Declare GMP to be a system library.
>
 (snip)

> #5 was how Fedora looked at the OpenSSL library issue. Since Debian
> has another viewpoint on OpenSSL I somehow doubt we would use it for
> GMP.

 I would like to suggest to treat more libraries as eligible for the
 system library exception within Debian.
>>>
>>> The traditional interpretation as I understand it is that nothing
>>> Debian ships qualifies for the the system exception.  This is because
>>> Debian ships everything together, and the system exception only
>>> applies for components that do not accompany the executable.
>>>
>>
>> Debian ships everything together? Really?
> 
> Yes.  http://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/
> 
> 

I don't see there an image named 
debian-8.7.1-amd64-DVD-X_free-but-GPL-incompatible.iso 

So... does this means that we are actually *now* shipping OpenSSL with
GPL software on the same DVD?

How do you propose we fix this?




signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 29/03/17 19:37, Francesco Poli wrote:
> On Wed, 29 Mar 2017 14:49:48 +0200 Carlos Alberto Lopez Perez wrote:
> 
> [...]
>> I think that any package that is essential for the base OS
>> (aka Priority: required) should qualify for the system exception.
> 
> Well, for the record, package libssl1.0.2 is Priority: important,
> hence, even with this criterion, it would not qualify...
> 
> 

Right.

But the policy itself still makes a lot of sense (IMHO), and it can be
useful for more libraries other than OpenSSL.

Hopefully OpenSSL will re-license soon to Apache 2.0.
Then it may [1] be "only" incompatible with GPLv2-only software.
But in the worst case, it will be compatible with GPLv2+ and GPLv3.


Regards
---

[1]
IANAL
https://mta.openssl.org/pipermail/openssl-dev/2017-March/009178.html



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 29/03/17 22:28, Andrey Rahmatullin wrote:
> On Wed, Mar 29, 2017 at 09:58:07PM +0200, Carlos Alberto Lopez Perez wrote:
>> So... does this means that we are actually *now* shipping OpenSSL with
>> GPL software on the same DVD?
> This is permitted, or are you joking?
> 
> 
> 

Yes

It was a sarcastic answer to Dmitry claim that Debian ships everything
together because of those DVD images.



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 29/03/17 22:25, Brian May wrote:
> Carlos Alberto Lopez Perez <clo...@igalia.com> writes:
> 
>> But in the worst case, it will be compatible with GPLv2+ and GPLv3.
> 
> I am not sure I see this as the worst case situation. Or maybe you meant
> to write "incompatable"?
> 

No.

Apache 2.0 is compatible with GPLv3 [1] (therefore also with GPLv2+).
That is a fact, and its the worst case situation (assuming that the
re-license to Apache 2.0 actually happens)

I know that the FSF holds the view that Apache 2.0 is not compatible
with GPLv2 [1]. But, at the same time I have read that "many prominent
open source lawyers consider the GPLv2 and Apache 2 licenses to be
compatible already" [2].

So, the best case situation (IMHO) would be that a lawyer tell us that
Apache 2.0 is also compatible with GPLv2-only, and that we stop playing
the game of being amateur lawyers instead of software developers.


Regards.


[1]
https://www.gnu.org/licenses/license-list.en.html#apache2

[2]
http://lists.llvm.org/pipermail/llvm-dev/2016-September/104778.html



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 03:11, Clint Byrum wrote:
> Excerpts from Carlos Alberto Lopez Perez's message of 2017-03-30 02:49:04 
> +0200:
>> On 30/03/17 00:24, Philipp Kern wrote:
>>> On 03/29/2017 11:10 PM, Carlos Alberto Lopez Perez wrote:
>>>> So, the best case situation (IMHO) would be that a lawyer tell us that
>>>> Apache 2.0 is also compatible with GPLv2-only, and that we stop playing
>>>> the game of being amateur lawyers instead of software developers.
>>>
>>> But that's not how the law works in the US. Without actual litigation
>>> and precedent, the most you'll get is a risk assessment of getting sued
>>> and your likelihood of winning if so. :)
>>>
>>> Kind regards and IANAL
>>> Philipp Kern
>>>
>>>
>>
>> Right. That is how it also works in Spain, and I suspect that in many
>> other countries work the same way.
>>
>> I understand that Debian wants to take a position of zero (or minimal)
>> risk, and I also understand the desire to respect the interpretation of
>> the FSF about the GPL (they don't think this two licenses are compatibles).
>>
> 
> I believe that this is a fundamental difference between RedHat and Debian.
> 
> RedHat is going to do everything within the law and inside their values
> for a profit. Their values don't include a strict adherence to the wishes
> of copyright holders, but strict adherence to the law.
> 
> But our values do include respect for copyright holder rights. So while
> we can probably get away with this legally, it's been decided (a few
> times?) that without the GPL licensor's consent, we can't in good faith
> produce a combination of OpenSSL and a GPL program.
> 

Just a simple question:

Do you (or anyone else) _really_ think the copyright holders of the GPL
program in question had any intention ever of not allowing their program
to be used along with OpenSSL, when they where the ones implementing
support for using it on the first place?




signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 00:26, Josh Triplett wrote:
> Carlos Alberto Lopez Perez wrote:
>> On 26/03/17 01:01, Walter Landry wrote:
>>> Florian Weimer <f...@deneb.enyo.de> wrote:
>>>>> #5 Declare GMP to be a system library.
>>>>>
>>>> (snip)
>>>>
>>>>> #5 was how Fedora looked at the OpenSSL library issue. Since Debian
>>>>> has another viewpoint on OpenSSL I somehow doubt we would use it for
>>>>> GMP.
>>>>
>>>> I would like to suggest to treat more libraries as eligible for the
>>>> system library exception within Debian.
>>>
>>> The traditional interpretation as I understand it is that nothing
>>> Debian ships qualifies for the the system exception.  This is because
>>> Debian ships everything together, and the system exception only
>>> applies for components that do not accompany the executable.
>>>
>>
>> Debian ships everything together? Really?
>> Then why we need repositories and apt-get at all?
>>
>>
>> I think that any package that is essential for the base OS
>> (aka Priority: required) should qualify for the system exception.
> 
> The literal text of the GPLv2 would not allow that:
> 
>> However, as a
>> special exception, the source code distributed need not include
>> anything that is normally distributed (in either source or binary
>> form) with the major components (compiler, kernel, and so on) of the
>> operating system on which the executable runs, unless that component
>> itself accompanies the executable.
> 
> Emphasis on "unless that component itself accompanies the executable".
> 
> The intention of the system library exception is to allow third
> parties to ship Free Software on proprietary platforms, while pointedly
> *disallowing* the vendor of the proprietary platform from doing so. As
> historical precedent, note that some vendors explicitly provided
> entirely separate media containing GNU applications, in order to satisfy
> that requirement.


Are you a lawyer?

In that case maybe you can explain me how is that RedHat (a company that
makes billions of dollars worth of revenue and that is clearly much more
interesting to sue than Debian if your intention when suing is seeking
some economic compensation), is shipping GPL software (pure GPL --
without any OpenSSL linking exception on the license) and linked with
OpenSSL, by simply declaring OpenSSL a system library, and nobody has
still sued (or complained to) them for doing that? [1]

And if you are not a lawyer (I am not), then I suggest we (the Debian
project) seek for legal advice regarding whether is ok to do this or not.

We did this after the ZFSonLinux package was blocked for years on the
NEW queue because there was a disagreement whether shipping it was ok or
not. And the lawyers from SFLC told us that shipping it t was ok [2].


[1]
The FAQ is from Fedora, but the same applies to RHEL
https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F
https://www.openssl.org/docs/faq.html#LEGAL2
[2]
https://lists.debian.org/debian-devel-announce/2015/04/msg6.html



signature.asc
Description: OpenPGP digital signature

Re: System libraries and the GPLv2

[Carlos Alberto Lopez Perez]

On 30/03/17 00:24, Philipp Kern wrote:
> On 03/29/2017 11:10 PM, Carlos Alberto Lopez Perez wrote:
>> So, the best case situation (IMHO) would be that a lawyer tell us that
>> Apache 2.0 is also compatible with GPLv2-only, and that we stop playing
>> the game of being amateur lawyers instead of software developers.
> 
> But that's not how the law works in the US. Without actual litigation
> and precedent, the most you'll get is a risk assessment of getting sued
> and your likelihood of winning if so. :)
> 
> Kind regards and IANAL
> Philipp Kern
> 
> 

Right. That is how it also works in Spain, and I suspect that in many
other countries work the same way.

I understand that Debian wants to take a position of zero (or minimal)
risk, and I also understand the desire to respect the interpretation of
the FSF about the GPL (they don't think this two licenses are compatibles).

So that's fine.


However, I still don't understand why we don't just declare OpenSSL a
system library; or at least define a clear policy for when a package is
considered part of the base system (so the GPL system exception applies
to it).

RedHat did this (see me previous (by date) mail on this thread), and
they didn't had any problem in this regard (AFAIK).



signature.asc
Description: OpenPGP digital signature