Re: GPL-licensed packages with depend-chain to OpenSSL

To: debian-legal@lists.debian.org
Subject: Re: GPL-licensed packages with depend-chain to OpenSSL
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 12 Aug 2004 16:17:22 -0700
Message-id: <[🔎] 20040812231720.GC23851@quetzlcoatl.dodds.net>
Mail-followup-to: debian-legal@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.60.0408121358540.22401@yvahk3.pbagnpgbe.fr>
References: <[🔎] Pine.LNX.4.60.0408121358540.22401@yvahk3.pbagnpgbe.fr>

On Thu, Aug 12, 2004 at 03:22:34PM +0200, Daniel Stenberg wrote:
> Please forgive a new subscriber if this subject already has been debated to 
> death. In that case, just let me know and I'll quietly crawl away again.

> Ok, here's my explanation of the "problem":

> There this package in recent Debian named 'curl' (using a MIT-like 
> license). It is built with OpenSSL (you all know the OpenSSL license).

> With curl there comes two (that we care about here) debian packages 
> nowadays named libcurl2 and libcurl3 (libcurl3 being the new ABI and 
> libcurl2 the older one). Both are linked against the OpenSSL libraries.

> Many applications use libcurl. Including several applications/packages in 
> Debian unstable that are GPL-licensed.

> See where I'm drifting? Several packages in Debian unstable are licensed 
> GPL (without explicit allowance for linking with OpenSSL) but links with 
> libraries/components that link with OpenSSL... This creates binaries that 
> are not allowed to distribute due to GPL license violations. AFAICT.

> I'm not a Debian guru, but I scanned through the list of apps depending on 
> curl to see what licenses they use, and I stopped when I had collected five 
> examples:

>  grip, logjam, ardour, fbi, xine-ui

> They are all GPLv2 licensees.

This is, in fact, a violation of the GPL as we understand it.

It would be helpful if you could file bug reports (severity: serious)
against these packages you've looked at, documenting the license
problem.  The maintainer may have further licensing information that's
not documented in the package copyright file; or, OTOH, we may need to
remove these packages from sarge if the question can't be resolved
quickly.

> (I'm sure someone with more Debian skill can do this checking better and 
> more accurate - these numbers were obtained by some rather crude and 
> error-prone scripts.)

It's possible to quickly find a list of packages using libcurl2/3, but
checking the licenses of these packages still requires human review of
the copyright files.

Thanks,
-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: "Francesco P. Lovergine" <frankie@debian.org>

References:
- GPL-licensed packages with depend-chain to OpenSSL
  - From: Daniel Stenberg <daniel@haxx.se>

Prev by Date: Re: GPL-licensed packages with depend-chain to OpenSSL
Next by Date: Re: Netatalk and OpenSSL licencing
Previous by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Next by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Index(es):
- Date
- Thread