Re: GPL-licensed packages with depend-chain to OpenSSL

To: debian-legal@lists.debian.org
Subject: Re: GPL-licensed packages with depend-chain to OpenSSL
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 19 Aug 2004 11:37:31 -0700
Message-id: <[🔎] 20040819183729.GA11054@mauritius.dodds.net>
Mail-followup-to: debian-legal@lists.debian.org
In-reply-to: <[🔎] yw1xbrh7h4ug.fsf@mru.ath.cx>
References: <[🔎] Pine.LNX.4.60.0408121358540.22401@yvahk3.pbagnpgbe.fr> <[🔎] 20040812231720.GC23851@quetzlcoatl.dodds.net> <[🔎] 20040819080206.GC13413@ba.issia.cnr.it> <[🔎] 20040819083847.GD10426@mauritius.dodds.net> <[🔎] yw1xbrh7h4ug.fsf@mru.ath.cx>

On Thu, Aug 19, 2004 at 11:09:11AM +0200, Måns Rullgård wrote:
> Steve Langasek <vorlon@debian.org> writes:

> > If your understanding of the license exception requirements were
> > correct, it would be a very easy loophole for people to exploit, using
> > GPL-compatible library layers to "sanitize" the licenses of library
> > dependencies.

> > But in fact, the GPL's definition of source code is:

> >   The source code for a work means the preferred form of the work for
> >   making modifications to it.  For an executable work, complete source
> >   code means all the source code for all modules it contains, plus any
> >   associated interface definition files, plus the scripts used to
> >   control compilation and installation of the executable.  However, as a
> >   special exception, the source code distributed need not include
> >   anything that is normally distributed (in either source or binary
> >   form) with the major components (compiler, kernel, and so on) of the
> >   operating system on which the executable runs, unless that component
> >   itself accompanies the executable.

> > For GPL applications linked against curl, "all modules it contains"
> > includes both libcurl and libssl.

> When using dynamic linking that is not necessarily the case.  Most
> dynamic linkers use lazy loading of libraries, such that the openssl
> libraries would not actually be mapped in to the process address space
> until one of its functions is called.  If, as per assumption, the
> application does not use any ssl related features of curl, the openssl
> libraries would never be touched, except for a possible scan of its
> symbol table.  The openssl libraries could be replaced by another
> library containing dummy entries for all the required symbols and the
> curl using application would still function correctly.  How the
> presence or absence of a particular library at runtime could possibly
> change the derivedness of a some program from said library is beyond
> my comprehension.

I didn't say anything about derived works.  Neither does the GPL when
talking about source code.

The GPL also doesn't define source code to include "all modules it
uses", it defines it to include "all modules it contains".

-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Måns Rullgård <mru@mru.ath.cx>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Andrew Suffield <asuffield@debian.org>

References:
- GPL-licensed packages with depend-chain to OpenSSL
  - From: Daniel Stenberg <daniel@haxx.se>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Steve Langasek <vorlon@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: "Francesco P. Lovergine" <frankie@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Steve Langasek <vorlon@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Måns Rullgård <mru@mru.ath.cx>

Prev by Date: Re: NEW ocaml licence proposal by upstream, will be part of the 3.08.1 release going into sarge.
Next by Date: Re: GPL-licensed packages with depend-chain to OpenSSL
Previous by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Next by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Index(es):
- Date
- Thread