On 2013-05-02 15:09, Kees Cook wrote:
Hi,
On Thu, May 02, 2013 at 08:22:39AM +1200, Robert Collins wrote:
W.r.t
http://www.squid-cache.org/mail-archive/squid-dev/201206/0075.html
I would like to expand on this - this is based on my reading of the
license terms that are under debate by the Ubuntu tech board now,
*not* on a desire for a particular outcome.
As a Squid upstream I *hate* that Debian and Ubuntu don't ship SSL
enabled binaries. The only issues I see are technical, legacy ones -
I
don't perceive a moral issue here given that OpenSSL is free
software:
It is very unlike the situation with a proprietary OS, and I wish
that
Squid *could* put an exception in place for OpenSSL.
However, we have spotty contact with the union of all developers, and
it would require considerable human bandwidth to get an exception in
place - so far no-one has made the time to really get that happening.
How about we are adding the following exception for linking against
OpenSSL: ... If anyone objects, please speak up by 2013-mm-dd.
And then things are fixed. :)
Indeed, your rights may be guaranteed in most jurisdictions in
absentia, but when there is already vagueness in the issue at hand, it
is much harder to argue that you were somehow damaged by a license
violation if you did not respond to repeated notifications at the only
contact address you gave in connection with the license.
So - it is a violation to ship OpenSSL linked Squid IFF you agree
that
OpenSSL isn't a 'system library', and to date I have sided with the
Debian interpretation of that. As a project however, Squid would like
to see SSL enabled binaries shipping by default. I can guarantee that
I wouldn't stand in the way of OpenSSL being determined to be a
system
library, though I can't make that statement for the set of all past
contributors to Squid! However, any such postulated contributor that
objects could have stated their grievances with Fedora/RHEL at any
time in the past, so it would be very odd for them to turn up now and
complain specifically to Ubuntu, were Ubuntu to start shipping SSL
enabled binaries.
Finally, it irks me that Fedora and Debian/Ubuntu have different
answers for the 'is OpenSSL a system library' question. It makes it
hard for folk writing software :(.
I've personally never had a problem with the OpenSSL linking. It seems
a needlessly picky interpretation of the intent of these licenses.
The only problem anybody would ever have is if they have published
something, like MongoDB, under the AGPL, and then linked it to OpenSSL
not realizing that their users are now be required to include this:
* 6. Redistributions of any form whatsoever must retain the following
*acknowledgment:
*This product includes software developed by the OpenSSL Project
*for use in the OpenSSL Toolkit (http://www.openssl.org/)
It is pretty clear to me, if you write software to use OpenSSL, and you
link to it, you have implied that you understand it. What gets
debian-legal upset, and really any lawyer (btw, I am not one) is that
implicit declarations are much harder to argue about.
All of that said, there is a much simpler choice, which is to just port
your software to use gnutls. I'd rather that software minded people
spend their time and expertise on that, than having to deal with legal
arguments. How much time could we have saved everyone just having to
read these messages if we had put the same effort into gnutls patches
for MongoDB and/or Squid?
--
technical-board mailing list
technical-board@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/technical-board
