Hi Gary, On Friday 15 February 2008, Gary Koskenmaki wrote: > Why was the subject of this email completely dropped from the > Debian archives? This is an extremely useful tool. I understand > why it isn't in main, but why couldn't it just have been moved to > non-free rather than being dropped? Debian carries completely > proprietary packages such as flash, ati drivers, nvidia drivers, > etc... so why the complete dropping of such an excellent security > tool?
The problem that modsecurity is licensed under GPL v2 which is not compatible with the Apache license 2.0. It is not allowed to distribute Apache 2 and modsecurity together, and (AIUI) Debian thinks that even if modsecurity were put into non-free, it would still be distributed together with Debian main which includes Apache 2. From http://www.thinkingstone.com/about/legal/licensing-clarifications.html: "However, it is not possible to combine ModSecurity licensed under GPLv2 with the Apache web server and distribute the combination. There is an incompatibility between GPLv2 and the Apache licences that is triggered when distribution takes place." From https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/19832: "Actually, Alberto González did contact upstream, who stated he isn't willing to change the licence, and the conflict between them is on purpose (business decision)." > I don't really understand the logic of the decision in the context > of non-free repositories being available. It's the decision of the modsecurity authors. Also, Debian non-free does not have security support. Distributing a security tool that might need security updates in non-free would be suboptimal anyway. Cheers, Stefan