Hi Stuart, thanks for your analysis. On Fri, Jun 20, 2014 at 11:18:18AM +1000, Stuart Prescott wrote: > I'm unconvinced there is a problem to begin with and relicensing like > this states that there is a problem. In some way that then sets a > precedent in the same way an undisputed post to debian-legal is later > used to set a precedent. (I know that's not how Debian is supposed to > work, but with licensing matters, that is the de facto procedure.)
I'm convinced there is a license incompatibility problem with a plain, unconditional, "import hashlib" which is what we had before John's workaround. (But see below for the [non-]authoritativeness of my personal legal opinion on this matter.) OTOH, it seems to me we all agree that the current workaround is sound from the license POV, but suboptimal from a technical standpoint, due to its reliance on an internal interface. Still at the technical level, even though we haven't discussed that explicitly before now, it's hard to dispute that a plain, unconditional, "import hashlib" is the most appropriate solution. The reason I therefore consider relicensing the best option is then that it gives us the best of the two (legal and technical) worlds. > Rather than rushing to relicense, I would rather ask the people whose > opinion really matters on questions of licence compatibility: ftp-masters. I do agree with this, as my legal take on this is certainly not authoritative for Debian-related purposes. The next action here is then contacting ftp-master officially, asking for a ruling, and preferably doing so publicly so that we gain guidance for future instances of this problem. Any volunteer for doing so? (FWIW, I see very unlikely that they rule that unconditional "import hashlib" is fine, so what we can get out of this is probably that some *conditional* scheme for importing hashlib is "fine". If that would result in inducing our users to load, in all but exceptional circumstances, the OpenSSL-licensed hashlib module together with the GPL-licensed debian_support module, I would consider such a "solution" ethically questionable.) > Further, we would also be deciding that all GPL'd users of stdlib's > hashlib, urllib, random, threading, multiprocessing, subprocess, os, > logging, trace, Queue, cookielib, email, uuid, distutils/upload, > imaplib, poplib, ... (and probably others that I missed) were > problematic because each of these standard modules directly or > transitively and sometimes conditionally imports hashlib. (And we'd be > applying that to transitive use too.) Yes: the OpenSSL/GPL incompatibility is a mess, and that's kinda old news :) > One final comment, you would also need to relicense > test_debian_support.py, not just debian_support.py Right, I overlooked that, but I agree they would need to be relicensed too. Cheers. -- Stefano Zacchiroli . . . . . . . [email protected] . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club »
signature.asc
Description: Digital signature
-- http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-python-debian-maint
