Olaf Buddenhagen <olafbuddenha...@gmx.net> wrote:
> Sorry for being late to this discussion, but I feel the need to remind
> everyone of the infamous OpenSSL licensing problem, i.e. the fact that
> the SSLeay license it is (partially) covered by is considered
> GPL-incompatible by many -- including (among others) the Debian project.
> This affects not only OpenSSL itself, but also all forks, including
> *ring* AIUI.
Insofar as *ring* is concerned, I believe this is both mostly a non-issue
and also fixable.
Insofar as Debian is concerned, they figured out a way to ship OpenSSL.
AFAICT they could package *ring* the same way, without *ring* needing to
make any changes. That might be a slightly suboptimal configuration, but
you could always use something besides Debian if so.
AFAIU, there is very little SSLeay-licensed code in *ring*. None of it
seems irreplaceable and actually it seems desirable to replace most or all
of it with Rust code under the ISC license anyway.
> In view of this, I believe anything directly or indirectly based on
> OpenSSL and its derivates cannot be considered a viable option.
Rather than disqualifying things based on non-technical criteria, let's
focus on technical criteria and then see what we can do to fix the
non-technical stuff. The nature of software is that it is malleable;
generally a problem today isn't a problem tomorrow if we're willing to do
work to solve it.
dev-servo mailing list