Re: GPL-3 openssl: provide a -nossl variant for a library
On Fri, 24 Oct 2014 06:56:39 +0800 Paul Wise wrote: [...] Bradley Kuhn says that for GPLv2-only works Debian should not consider OpenSSL to be a system library but for works where the GPLv3 can apply, SSL/TLS is likely a Standard Interface and thus subject to the System Library exception. I was pondering over this issue and I seemed to remember I had seen an opposite opinion. Now I've just found where I saw that opinion: it was quoted on debian-legal [1] back in 2007. Brett Smith (FSF Licensing Compliance Engineer) stated that OpenSSL does not qualify as (GPLv3) System Library. [1] https://lists.debian.org/debian-legal/2007/07/msg00194.html -- http://www.inventati.org/frx/ fsck is a four letter word... . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgp1V0n8VMt8d.pgp Description: PGP signature
Re: GPL-3 openssl: provide a -nossl variant for a library
* Henrique de Moraes Holschuh: The problem is that Debian is the operating system distributing the system libraries, and that all packages Debian distributes are *also* part of that same operating system. https://lists.debian.org/debian-legal/2002/10/msg00113.html https://people.gnome.org/~markmc/openssl-and-the-gpl.html And read this, especially slides 8, 9, and 10: www.lawseminars.com/materials/08OPSMA/opsma%20m%20fontana%2010-29%20new%20up.pdf Where it is clear it is indeed a concern. Note that Fontana is both a lawyer, and co-author of the GPLv3. But Fedora, whose policies Richard Fontana helped to shape over the years, considers OpenSSL to be a library covered by the system library exception. In practice, the FSF seems to agree with this interpretation (for the GPLv2) because Microsoft Services for UNIX links GPL software such as GCC against a proprietary libc which is part of the same software package, and I don't think the FSF has even tried to stop them. (This libc is BSD-derived and not the Windows kernel or something like that, it is an intermediate layer.) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87fvef9pdu@mid.deneb.enyo.de
Re: GPL-3 openssl: provide a -nossl variant for a library
On Thu, Oct 23, 2014 at 10:11:41AM +0200, Florian Weimer wrote: But Fedora, whose policies Richard Fontana helped to shape over the years, considers OpenSSL to be a library covered by the system library exception. But legal advice is not necessarily portable. As a project, we can certainly decide to start considering OpenSSL a system library, on the basis of legal advice. But to do so we should seek legal advice specifically targeted at the Debian case, and discuss the advice we get with the relevant stakeholders (e.g., the FSF, with whom we have pretty good connections these days). Cheers. -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: GPL-3 openssl: provide a -nossl variant for a library
On 23 Oct 2014 02:03, Thorsten Glaser t...@debian.org wrote: ... Where it is clear it is indeed a concern. Note that Fontana is both a lawyer, and co-author of the GPLv3. And a RedHat employee. Was :) http://en.m.wikipedia.org/wiki/Richard_Fontana
Re: GPL-3 openssl: provide a -nossl variant for a library
On Thu, Oct 23, 2014 at 4:11 PM, Florian Weimer wrote: But Fedora, whose policies Richard Fontana helped to shape over the years, considers OpenSSL to be a library covered by the system library exception. We discussed this on #faif[1] and: Richard Fontana says the OpenSSL-system library exception thing is misattributed to him and he addressed this quite directly in his FOSDEM talk last February. He had no other comments. https://archive.fosdem.org/2014/schedule/event/licensecompat/ Bradley Kuhn says that for GPLv2-only works Debian should not consider OpenSSL to be a system library but for works where the GPLv3 can apply, SSL/TLS is likely a Standard Interface and thus subject to the System Library exception. 1. The IRC channel for the Free as in Freedom oggcast: http://faif.us/ -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAKTje6G5pHXJwT5Vh5bcEMXCivM=cet8oxsvg-y-9msoybl...@mail.gmail.com
Re: GPL-3 openssl: provide a -nossl variant for a library
Jelmer Vernooij dixit: Samba is unlikely to add such an exception. So just make OpenSSL a system library finally. bye, //mirabilos -- (gnutls can also be used, but if you are compiling lynx for your own use, there is no reason to consider using that package) -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/pine.bsm.4.64l.1410220807400.18...@herc.mirbsd.org
Re: GPL-3 openssl: provide a -nossl variant for a library
* Michael Fladischer: Considering this, is it a good idea to provide a librabbitmq1-nossl binary package that was built without OpenSSL while still having librabbitmq1 with OpenSSL-support? We do not do this for Python, which links against OpenSSL, and which is used from software under the GPL, so I don't really see why we have to do this for other infrastructure components. The long term solution is to rely on the system library exception to regain GPL compatibility, just as Fedora does. It's really unavoidable with libraries moving to (L)GPLv3 and the presence of GPLv2-only software in Debian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87k33snzxn@mid.deneb.enyo.de
Re: GPL-3 openssl: provide a -nossl variant for a library
On Wed, 22 Oct 2014, Thorsten Glaser wrote: Jelmer Vernooij dixit: Samba is unlikely to add such an exception. So just make OpenSSL a system library finally. It has always been a system library in Debian. The problem is that Debian is the operating system distributing the system libraries, and that all packages Debian distributes are *also* part of that same operating system. https://lists.debian.org/debian-legal/2002/10/msg00113.html https://people.gnome.org/~markmc/openssl-and-the-gpl.html And read this, especially slides 8, 9, and 10: www.lawseminars.com/materials/08OPSMA/opsma%20m%20fontana%2010-29%20new%20up.pdf Where it is clear it is indeed a concern. Note that Fontana is both a lawyer, and co-author of the GPLv3. You can disagree with the current debian-legal interpretation all you want, it is certainly not a consensus within Debian either. But, at the end of the day, the only really safe option is to require the license exception if you're going to link GPL code to OpenSSL. And that is, AFAIK, the instance the ftpmasters decided to adopt. Anyway, this thread likely belongs more on debian-legal than on debian-devel. Adding Cc: to debian-legal, you might want to move the thread there. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141022121317.gb1...@khazad-dum.debian.net
Re: GPL-3 openssl: provide a -nossl variant for a library
On Wed, 22 Oct 2014, Henrique de Moraes Holschuh wrote: The problem is that Debian is the operating system distributing the system libraries, and that all packages Debian distributes are *also* part of that same operating system. Wrong: “*as long as* your GPL binary is not shipped together with your libraries”. Mere aggregation, which is what a distribution does, is not “together”. The actual wording “unless that component itself accompanies the executable” is even stronger. They’re not in the same package. Most of the time, the (non?)gnutls openssl wrapper is ABI compatible, even. The maintainers differ. Etc. And it implements a standard interface. Where it is clear it is indeed a concern. Note that Fontana is both a lawyer, and co-author of the GPLv3. And a RedHat employee. (I think Florian Weimer is, too.) Also, it’s normal that someone has a rosy sight on something they wrote. Note that the intent of the actual copyright owners counts *much* more than the intent of the licence writers when interpreting clauses. You can disagree with the current debian-legal interpretation all you want, it is certainly not a consensus within Debian either. But, at the end of Oh we could do a GR on it, like with the BLOBs before I became DD. And that is, AFAIK, the instance the ftpmasters decided to adopt. They can change that or be overridden by a GR. Anyway, this thread likely belongs more on debian-legal than on No, debian-legal is no body within Debian, just a random armchair lawyer discussion list. But it may be Cc’d, sure. bye, //mirabilos -- «MyISAM tables -will- get corrupted eventually. This is a fact of life. » “mysql is about as much database as ms access” – “MSSQL at least descends from a database” “it's a rebranded SyBase” “MySQL however was born from a flatfile and went downhill from there” – “at least jetDB doesn’t claim to be a database” ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die! -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.11.1410221455250.32...@tglase.lan.tarent.de
Re: GPL-3 openssl: provide a -nossl variant for a library
Hi, Thorsten Glaser: Also, it’s normal that someone has a rosy sight on something they wrote. Note that the intent of the actual copyright owners counts *much* more than the intent of the licence writers when interpreting clauses. Sure, but in many cases there is not much expression of intent, other than I chose this license. No, debian-legal is no body within Debian, just a random armchair lawyer discussion list. But it may be Cc’d, sure. Nevertheless, it is the forum where we-as-a-distribution are supposed to arrive at a rough consensus on what's OK, legally, and what is not, thus the discussion belongs there. ‣‣‣ Please, http://deb.li/mysql and MariaDB, finally die! which, like your random armchair lawyer remark, I'd regard as borderline flamebait. -- -- Matthias Urlichs signature.asc Description: Digital signature
Re: GPL-3 openssl: provide a -nossl variant for a library
On Oct 22, Matthias Urlichs matth...@urlichs.de wrote: No, debian-legal is no body within Debian, just a random armchair lawyer discussion list. But it may be Cc’d, sure. Nevertheless, it is the forum where we-as-a-distribution are supposed to arrive at a rough consensus on what's OK, legally, and what is not, thus the discussion belongs there. To be fair, I was around when debian-legal was created and I happen to remember well that its purpose was to move away armchair lawyering from debian-devel... -- ciao, Marco signature.asc Description: Digital signature
Re: GPL-3 openssl: provide a -nossl variant for a library
Matthias Urlichs matth...@urlichs.de writes: Nevertheless, it is the forum where we-as-a-distribution are supposed to arrive at a rough consensus on what's OK, legally, and what is not, thus the discussion belongs there. It's never been used that way for as long as I've been a project member. Instead, it's a discussion forum where lots of people argue about licenses before, during, and after the ftp-master team makes a final decision on the license. As near as I can tell, those two threads are parallel and have almost nothing to do with each other. (Almost nothing in the sense that I think the ftp-master team looks at individual messages that have good arguments, so they don't completely ignore that discussion.) On multiple occasions, the people who participate in debian-legal have reached what would appear to outsiders to be a consensus that's contrary to what the project actually does, and the project has just ignored them. I advise people to ignore that list, or at least treat it with a lot of skepticism, since for people just trying to solve problems it's usually more confusing than helpful. Many of the active participants historically have been advocates of a much more restrictive approach to licenses than what Debian actually does. It's usually more immediately useful to just upload the package with an explanation of the issues in debian/copyright and see what the ftp-master team says. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87k33sqbnv@hope.eyrie.org
Re: GPL-3 openssl: provide a -nossl variant for a library
Excerpts from Michael Fladischer's message of 2014-10-21 08:58:32 -0500: Hi, I'm the maintainer for src:librabbitmq and the binary package librabbitmq1 is linked against libssl1.0.0 (OpenSSL). Now I was approached by Julien Kerihuel from the OpenChange project, who release their software under the terms of GPL-3, asking if I could provide an alternative to the OpenSSL-linked library so they can use it without causing a license conflict. Sadly librabbitmq only supports OpenSSL, there is rudimentary support for GnuTLS but it seems to be severely broken at the moment. Considering this, is it a good idea to provide a librabbitmq1-nossl binary package that was built without OpenSSL while still having librabbitmq1 with OpenSSL-support? I could not find another package that does this, so I assume that a similar situation did not yet occur (unlikely) or that there where arguments against providing such a package variant. Perhaps consider linking it against cyassl? It has a minimal OpenSSL compatibility API and is GPL2+ so it should be fine combined with OpenChange. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1414008467-sup-1...@fewbar.com
Re: GPL-3 openssl: provide a -nossl variant for a library
On 23 October 2014 04:03, Russ Allbery r...@debian.org wrote: It's usually more immediately useful to just upload the package with an explanation of the issues in debian/copyright and see what the ftp-master team says. This is probably getting off-track, however I have a package that has been stuck in NEW for over a month because ftp-master won't give feedback on what they see as a legal issue with my package. I disagreed with their verdict, gave good reasons, indicated that another package already in Debian would have the same issues, and got no response. My point being you can't always rely on ftp-master either. -- Brian May br...@microcomaustralia.com.au
Re: GPL-3 openssl: provide a -nossl variant for a library
On Thu, 2014-10-23 at 12:46 +1100, Brian May wrote: On 23 October 2014 04:03, Russ Allbery r...@debian.org wrote: It's usually more immediately useful to just upload the package with an explanation of the issues in debian/copyright and see what the ftp-master team says. This is probably getting off-track, however I have a package that has been stuck in NEW for over a month because ftp-master won't give feedback on what they see as a legal issue with my package. I disagreed with their verdict, gave good reasons, indicated that another package already in Debian would have the same issues, and got no response. Yeah, that's been my experience too. I waited a week for a reply, but none was forthcoming. I took that as a no. They are busy people after all, and probably don't have time to engage in what could be long discussions. Particularly now when everyone is rushing to get in before the freeze. I wasn't happy at the time, but in retrospect it seems like a reasonable process to me. I assume they are consistent as they can be, so their decisions reflect Debian's current consensus (written or otherwise) on what is allowed into Debian. If you disagree strongly enough to want a debate that changes it, that debate should be held here on debian-devel where everyone can participate. You don't need a debate or a reply to reach a compromise - just re-submit with your compromises. It has the advantage of forcing them to give you an answer :D. If you aren't prepared to compromise, either have the debate or drop the package. signature.asc Description: This is a digitally signed message part
Re: GPL-3 openssl: provide a -nossl variant for a library
Why just not add a license exception as many other GPL projects do? Something like (copied from our Knot DNS d/copyright): In addition, as a special exception, the author of this program gives permission to link the code of its release with the OpenSSL project's OpenSSL library (or with modified versions of it that use the same license as the OpenSSL library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. O. On Tue, Oct 21, 2014, at 15:58, Michael Fladischer wrote: Hi, I'm the maintainer for src:librabbitmq and the binary package librabbitmq1 is linked against libssl1.0.0 (OpenSSL). Now I was approached by Julien Kerihuel from the OpenChange project, who release their software under the terms of GPL-3, asking if I could provide an alternative to the OpenSSL-linked library so they can use it without causing a license conflict. Sadly librabbitmq only supports OpenSSL, there is rudimentary support for GnuTLS but it seems to be severely broken at the moment. Considering this, is it a good idea to provide a librabbitmq1-nossl binary package that was built without OpenSSL while still having librabbitmq1 with OpenSSL-support? I could not find another package that does this, so I assume that a similar situation did not yet occur (unlikely) or that there where arguments against providing such a package variant. Cheers, -- Michael Fladischer Fladi.at Email had 1 attachment: + signature.asc 1k (application/pgp-signature) -- Ondřej Surý ond...@sury.org Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1413902487.597746.181561769.5fe55...@webmail.messagingengine.com
Re: GPL-3 openssl: provide a -nossl variant for a library
On Tue, Oct 21, 2014 at 04:41:27PM +0200, Ondřej Surý wrote: Why just not add a license exception as many other GPL projects do? Something like (copied from our Knot DNS d/copyright): In addition, as a special exception, the author of this program gives permission to link the code of its release with the OpenSSL project's OpenSSL library (or with modified versions of it that use the same license as the OpenSSL library), and distribute the linked executables. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. This is harder for OpenChange since it links against other GPLv3 projects, most notably Samba. Samba is unlikely to add such an exception. Cheers, Jelmer On Tue, Oct 21, 2014, at 15:58, Michael Fladischer wrote: Hi, I'm the maintainer for src:librabbitmq and the binary package librabbitmq1 is linked against libssl1.0.0 (OpenSSL). Now I was approached by Julien Kerihuel from the OpenChange project, who release their software under the terms of GPL-3, asking if I could provide an alternative to the OpenSSL-linked library so they can use it without causing a license conflict. Sadly librabbitmq only supports OpenSSL, there is rudimentary support for GnuTLS but it seems to be severely broken at the moment. Considering this, is it a good idea to provide a librabbitmq1-nossl binary package that was built without OpenSSL while still having librabbitmq1 with OpenSSL-support? I could not find another package that does this, so I assume that a similar situation did not yet occur (unlikely) or that there where arguments against providing such a package variant. Cheers, -- Michael Fladischer Fladi.at Email had 1 attachment: + signature.asc 1k (application/pgp-signature) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141021185026.ga14...@jelmer.uk
