GPL-licensed packages with depend-chain to OpenSSL
Please forgive a new subscriber if this subject already has been debated to
death. In that case, just let me know and I'll quietly crawl away again.
Ok, here's my explanation of the "problem":
There this package in recent Debian named 'curl' (using a MIT-like license).
It is built with OpenSSL (you all know the OpenSSL license).
With curl there comes two (that we care about here) debian packages nowadays
named libcurl2 and libcurl3 (libcurl3 being the new ABI and libcurl2 the older
one). Both are linked against the OpenSSL libraries.
Many applications use libcurl. Including several applications/packages in
Debian unstable that are GPL-licensed.
See where I'm drifting? Several packages in Debian unstable are licensed GPL
(without explicit allowance for linking with OpenSSL) but links with
libraries/components that link with OpenSSL... This creates binaries that are
not allowed to distribute due to GPL license violations. AFAICT.
I'm not a Debian guru, but I scanned through the list of apps depending on
curl to see what licenses they use, and I stopped when I had collected five
grip, logjam, ardour, fbi, xine-ui
They are all GPLv2 licensees.
I can think of multiple approaches to fix this situation:
1. Make the authors add exceptions to the licences
2. Provide a curl package that is built without OpenSSL that those that don't
do #1 can use.
Of course getting curl to link with an SSL library that isn't GPL incompatible
would also be a fix for this particular case, but I consider that a pretty big
job that won't happen this year (by me).
If this was just an issue with packages that depend on (lib)curl, it would've
been a minor issue. But...
I counted to 206 packages in current Debian unstable that depends on libssl
(grepping in the "Build-Depends" fields). I figure all those packages already
have either a license that is OK, or an exception in their GPL license.
But, there are 610 packages that depend on one or more of those 206 packages.
Since I'm checking build-depedencies I'm hoping I check the right stuff. I
would be surprised if the five packages I found are the only ones affected by
this. There are also a lot of packages that depend on these 610 packages...
(I'm sure someone with more Debian skill can do this checking better and more
accurate - these numbers were obtained by some rather crude and error-prone
If this a huuuuge can of worms or am I just plain wrong?
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol