Re: openssl vs. GPL question
Michael K. Edwards wrote: You might also observe the comments at http://bugs.mysql.com/bug.php?id=6924 and http://bugs.mysql.com/bug.php?id=8508 regarding MySQL's retreat, first from providing OpenSSL-enabled binaries, and then from referencing OpenSSL in the server source code. Any bets on whether there was a quid pro quo involved when Eben Moglen submitted an affidavit in Progress Software v. MySQL? If you wish to allege underhanded dealings, please bring some evidence. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
On 6/10/05, Anthony DeRobertis [EMAIL PROTECTED] wrote: Michael K. Edwards wrote: You might also observe the comments at http://bugs.mysql.com/bug.php?id=6924 and http://bugs.mysql.com/bug.php?id=8508 regarding MySQL's retreat, first from providing OpenSSL-enabled binaries, and then from referencing OpenSSL in the server source code. Any bets on whether there was a quid pro quo involved when Eben Moglen submitted an affidavit in Progress Software v. MySQL? If you wish to allege underhanded dealings, please bring some evidence. Perhaps it would be more accurate to say that MySQL's executives appear to have been availing themselves of the services of the GPL Compliance Lab, and have probably received a few letters on Columbia University letterhead. I think the FSF's entire handling of OpenSSL is underhanded. For them to make the false claim that API usage makes for a derivative work when it suits them, and then to accept the copying of the OpenSSL API into the GPL'ed yaSSL and the GPL'ed shim to GNU TLS, and then recommend these alternatives over OpenSSL to all GPL licensors, is beyond hypocritical. As regards MySQL, here are some comments by one Tim Smith on bug 6924: quote We would like to be able to release binaries with SSL support, and are investigating different options for that. I'm told that building with yassl is possible right now, so this may be an option for you, depending on how you're using MySQL, etc. ... It's due to unclear license issues. Basically, we'd be OK distributing OpenSSL-enabled binaries, but anyone who redistributed them would probably be violating the license. Our licence doesn't have a clear exclusion that handles OpenSSL. I'm doing a bit of parroting here, since I'm not directly involved with making these decisions. I can tell you for sure that it's due to legal, not technical, reasons. /quote Who do you suppose would be telling MySQL that they don't have the ability to alter the license on their own software to accommodate their own decision to use OpenSSL? - Michael
Re: openssl vs. GPL question
Michael K. Edwards wrote: P. S. If you think that an FSF vendetta against OpenSSL would be an anomaly, or that RMS is purist about copyright law when it comes to his own conduct, you might be interested in Theo de Raadt's comments at http://www.monkey.org/openbsd/archive/tech/0002/msg00171.html . That URL says From: Brett Glass [EMAIL PROTECTED] who is, AFAIK, not Theo de Raadt. The only two Theo de Raadt postings in that thread are essentially go away. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
Michael K. Edwards wrote: On 6/6/05, Michael K. Edwards [EMAIL PROTECTED] wrote: Whoops, I misattributed that message. It's Brett Glass who wrote that, NOT Theo de Raadt. :-( And after Googling Brett Glass briefly, I doubt he has much concrete evidence to back up his claim that RMS plagiarized Symbolics code. [...] Sorry about my last message; I managed to reply before seeing these corrections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: openssl vs. GPL question
Hi everyone, On 6/4/05, Dafydd Harries [EMAIL PROTECTED] wrote: I have a package Alexandria, written in Ruby, which will depend on a new library in the next version. This library, ruby-zoom, is an LGPL Ruby binding of libyaz. libyaz links to OpenSSL and is, as far as I can tell, under a 2-clause BSD licence. Everything fine so far. But it seems to me that it will be impossible for Alexandria, which is under the GPL, to use ruby-zoom legally as, by doing so, it will be linking against OpenSSL, which is under a GPL-incompatible licence. Am I right in thinking so? It is Debian's historical practice, and the FSF's stance, not to permit this kind of dependency (direct or indirect). I believe strongly, and have adduced plenty of case law to demonstrate, that the FSF's GPL FAQ is in error on this point. I would not say, however, that my opinion represents a debian-legal consensus. See recent debian-legal threads about Quagga, which is in a similar position. My understanding of this issue is based on reading this thread: http://lists.debian.org/debian-legal/2002/10/msg00113.html If there is indeed a licence problem here, I can see two main solutions: - Try to get libyaz in Debian to link against GnuTLS instead of OpenSSL. - Get the maintainer of Alexandria to make an exception for linking against OpenSSL. The latter is probably a better choice (at least in the short term), since the OpenSSL shim for GNU TLS was added to the GPL (not LGPL) libgnutls-extra. (It's possible that it has since been moved into the LGPL portion, but I don't think so.) While I don't believe in the FSF's theories about linking causing GPL violation (especially in the indirect scenario), it's the Debian way to request a clarification from upstream. I notice that the Tellico package, which is GPL, already links against libyaz. Is this a licence violation? No; but there again, it would probably be best to check with upstream about whether they would mind adding an explicit OpenSSL exemption. Wishlist bug? Sorry to arrive late, I am not on -legal, amd only noticed this thread during one of my usual checking of what's happening around here. I appear to be the maintainer of tellico, so I would like to have a good advice on what to do for this problem. I have CC'ed Robby Stephenson, who is the upstream author of Tellico, so he can know and make a decision about it if he thinks he should. Regards, Regis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
Michael K. Edwards wrote: Do you know whether the NSS implementation is being certified at source code level (a very unusual arrangement) using the sort of maneuvers mentioned in the Linux Journal article on DMLSS? I'm not able to say - it's not my area. If you are interested, news://news.mozilla.org/netscape.public.mozilla.crypto is the place to ask. Gerv -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
De: Steve Langasek [mailto:[EMAIL PROTECTED] The phrase For an executable work, complete source code means all the source code for all modules it contains appears in the text of GPL section *3*, which is not specific to works based on the Program. Such lack of attention to license detail from one who has so much to say on the subject is truly appalling. So, are you arguing that things that *dynamically* link with some libraries do _contain_ said libraries? Because IMHO neither ruby-zoom _contains_ libyaz nor libyaz _contains_ openssl. Massa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
You might also observe the comments at http://bugs.mysql.com/bug.php?id=6924 and http://bugs.mysql.com/bug.php?id=8508 regarding MySQL's retreat, first from providing OpenSSL-enabled binaries, and then from referencing OpenSSL in the server source code. Any bets on whether there was a quid pro quo involved when Eben Moglen submitted an affidavit in Progress Software v. MySQL? Pity the MySQL folks; Progress Software were the ones who encouraged them to switch to the GPL in the first place, and when that relationship went bad, they fell right in with the FSF. Switching to YaSSL is going to cost them when it comes to DoD use of MySQL, since some gutsy folks at the Defense Medical Logistics Standard Support program are going through FIPS 140-2 validation on OpenSSL with financing from the usual suspects (mostly IBM and HP); see http://www.linuxjournal.com/article/7644 . Cheers, - Michael
Re: openssl vs. GPL question
On 6/6/05, Gervase Markham [EMAIL PROTECTED] wrote: The implementation of SSL in the Netscape NSS libraries is available under the GPL, and I believe certain versions of it have FIPS validation. http://www.mozilla.org/projects/security/pki/nss/fips/ I'm delighted to hear that. It does not seem that the same is true of YaSSL, and it perplexes me that MySQL has chosen it. Do you know whether the NSS implementation is being certified at source code level (a very unusual arrangement) using the sort of maneuvers mentioned in the Linux Journal article on DMLSS? Cheers, - Michael P. S. If you think that an FSF vendetta against OpenSSL would be an anomaly, or that RMS is purist about copyright law when it comes to his own conduct, you might be interested in Theo de Raadt's comments at http://www.monkey.org/openbsd/archive/tech/0002/msg00171.html . I don't necessarily agree with his opinions on the ethics of the GPL, but if he speaks from personal knowledge on RMS's handling of code owned by Symbolics, I'm rather disappointed in RMS.
Re: openssl vs. GPL question
On 6/6/05, Michael K. Edwards [EMAIL PROTECTED] wrote: P. S. If you think that an FSF vendetta against OpenSSL would be an anomaly, or that RMS is purist about copyright law when it comes to his own conduct, you might be interested in Theo de Raadt's comments at http://www.monkey.org/openbsd/archive/tech/0002/msg00171.html . I don't necessarily agree with his opinions on the ethics of the GPL, but if he speaks from personal knowledge on RMS's handling of code owned by Symbolics, I'm rather disappointed in RMS. Whoops, I misattributed that message. It's Brett Glass who wrote that, NOT Theo de Raadt. :-(
Re: openssl vs. GPL question
Michael K. Edwards wrote: since the OpenSSL shim for GNU TLS was added to the GPL (not LGPL) libgnutls-extra. (It's possible that it has since been moved into the LGPL portion, but I don't think so.) The LGPL contains an explicit provision that allows relicensing to GPL (section 3 LGPL). Wouldn't that solve the problem? Arnoud -- Arnoud Engelfriet, Dutch patent attorney - Speaking only for myself Patents, copyright and IPR explained for techies: http://www.iusmentis.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: openssl vs. GPL question
[Cc:ing the original poster, who posted to -mentors -- there's no reason to expect that he's subscribed to -legal] On Sun, Jun 05, 2005 at 11:04:13AM +0200, Måns Rullgård wrote: On 6/4/05, Dafydd Harries [EMAIL PROTECTED] wrote: I have a package Alexandria, written in Ruby, which will depend on a new library in the next version. This library, ruby-zoom, is an LGPL Ruby binding of libyaz. libyaz links to OpenSSL and is, as far as I can tell, under a 2-clause BSD licence. Everything fine so far. But it seems to me that it will be impossible for Alexandria, which is under the GPL, to use ruby-zoom legally as, by doing so, it will be linking against OpenSSL, which is under a GPL-incompatible licence. Am I right in thinking so? It is Debian's historical practice, and the FSF's stance, not to permit this kind of dependency (direct or indirect). I believe strongly, and have adduced plenty of case law to demonstrate, that the FSF's GPL FAQ is in error on this point. I would not say, however, that my opinion represents a debian-legal consensus. See recent debian-legal threads about Quagga, which is in a similar position. Does Alexandria make direct use of any OpenSSL functionality, or do only parts of libyaz not used by Alexandria use OpenSSL? In the latter case, claiming derivedness from OpenSSL is outright bizarre, if it ever made any sense. I have no reason to believe that the GPL's claim depends on the status of derivative works; it is a condition of distributing binaries under the GPL that the source to the work and any components it contains must be made available under the terms of the GPL. The fact that Alexandria does not make *direct* use of OpenSSL is no defense, IMHO. Seriously, how many people actually care whether some GPL code links with OpenSSL? My guess is two: RMS and EM. I care; I don't like either the OpenSSL license or the OpenSSL code, and I think it's in Debian's interest to distance itself from both to the greatest extent possible. I notice that the Tellico package, which is GPL, already links against libyaz. Is this a licence violation? No; but there again, it would probably be best to check with upstream about whether they would mind adding an explicit OpenSSL exemption. Wishlist bug? If the program makes explicit use of OpenSSL, I'd consider it fairly safe to assume an implicit permission to do so, even in the absence a written clause to that effect. Also not a defense; it's entirely valid for someone to release code under the GPL that they know cannot be bundled in binary form by OS distributors. Your argument would also imply that Microsoft is allowed to bundle any GPLed software they want to with Windows without opening their libs, merely because it's been written to use Windows-specific APIs. This is not a sane assumption in the case of Microsoft, and it's not a sane assumption in our case either. If this *is* the author's intent, it should be trivial to secure a license clarification. -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
