OK, I've read over these some more, and I've thought of a possible workaround. Being a not-a-lawyer, these may be braindead. They can be used together.
1) Create a non-free optional package section. Make ALL code that depends on OpenSSL do so as an option. And where the option should really be exercised, complain to the user. 2) When the user installs OpenSSL, before anything happens, output the advert, and give a blurb about GPL incompatability. Then, make the user cancel or acknowledge that they understand the issue at hand, know where to find the OpenSSL license. Still, I think we should immediately take down links to any version which violates any license. The other option -- to put an OpenSSL exemption in our copy of the GPL -- is completely out of the question. On Sun, 27 May 2007, William Stein wrote: > > Hi, > > It recently came to my attention (when an undergrad -- Michael Schmitz -- > was talking with me about his project on openssl in my number > theory class) that OpenSSL's license is totally GPL incompatible. > This was his guess as to why firefox doesn't use openssl. > Why should you care? -- SAGE is a GPL'd program that > includes openssl and links in a bunch of other GPL'd programs, so > SAGE as distributed with openssl, currently violates the copyright of > those GPL'd > programs. SAGE *only* uses openssl to provide authentication for > DSAGE (distributed > SAGE) and -- in the future but not yet -- we plan to use it for authentication > for the notebook. Read more if you're interested. > > It is a copyright violation to link a GPL program with OpenSSL and > distribute together the linked program, as SAGE does. > In particular, by distributing OpenSSL with SAGE, we are violating the > copyright > of GPL'd programs included with SAGE. The OpenSSL license > is evidently OSI (www.opensource.org) approved, but that isn't enough. > There are several web page that I think consistently explain the copyright > situation with regard to openssl: > > * http://www.gnome.org/~markmc/openssl-and-the-gpl.html > * http://finkproject.org/doc/packaging/policy.php > * http://lists.debian.org/debian-legal/2002/10/msg00113.html > > Conclusion: I screwed up by not checking the license of openssl much more > carefully before including it in SAGE, and I will unfortunately have to remove > openssl from SAGE. (This is quite annoying -- I similarly screwed up once > by including gnuplot for several weeks, and once again by including Singular > before omalloc became GPL'd. Maybe we need to hire more lawyers. :-) ) > > Back to openssl. Fortunately, the Debian and Fink projects both took > a "hard line" position against OpenSSL some time ago, so (?) > there are alternatives. It looks like GNU TLS is probably the best: > http://www.gnu.org/software/gnutls/ > Fortunately it appears that Twisted can use GNU TLS: > http://cheeseshop.python.org/pypi/python-gnutls/ > > I think the *only* part of SAGE that use OpenSSL right now is DSAGE's > authenticiation > system, which is built on Twisted. Anyway, comments are welcome before I > simply remove openssl and pyopenssl from SAGE before the next release, come > what may. > > -- William > > -- > William Stein > Associate Professor of Mathematics > University of Washington > http://www.williamstein.org > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
