Re: GPL-licensed packages with depend-chain to OpenSSL

To: debian-legal@lists.debian.org
Subject: Re: GPL-licensed packages with depend-chain to OpenSSL
From: Måns Rullgård <mru@mru.ath.cx>
Date: Thu, 19 Aug 2004 20:59:44 +0200
Message-id: <[🔎] yw1x3c2jj6n3.fsf@mru.ath.cx>
References: <[🔎] Pine.LNX.4.60.0408121358540.22401@yvahk3.pbagnpgbe.fr> <[🔎] 20040812231720.GC23851@quetzlcoatl.dodds.net> <[🔎] 20040819080206.GC13413@ba.issia.cnr.it> <[🔎] 20040819083847.GD10426@mauritius.dodds.net> <[🔎] yw1xbrh7h4ug.fsf@mru.ath.cx> <[🔎] 20040819183729.GA11054@mauritius.dodds.net>

Steve Langasek <vorlon@debian.org> writes:

> On Thu, Aug 19, 2004 at 11:09:11AM +0200, Måns Rullgård wrote:
>> Steve Langasek <vorlon@debian.org> writes:
>
>> > If your understanding of the license exception requirements were
>> > correct, it would be a very easy loophole for people to exploit, using
>> > GPL-compatible library layers to "sanitize" the licenses of library
>> > dependencies.
>
>> > But in fact, the GPL's definition of source code is:
>
>> >   The source code for a work means the preferred form of the work for
>> >   making modifications to it.  For an executable work, complete source
>> >   code means all the source code for all modules it contains, plus any
>> >   associated interface definition files, plus the scripts used to
>> >   control compilation and installation of the executable.  However, as a
>> >   special exception, the source code distributed need not include
>> >   anything that is normally distributed (in either source or binary
>> >   form) with the major components (compiler, kernel, and so on) of the
>> >   operating system on which the executable runs, unless that component
>> >   itself accompanies the executable.
>
>> > For GPL applications linked against curl, "all modules it contains"
>> > includes both libcurl and libssl.
>
>> When using dynamic linking that is not necessarily the case.  Most
>> dynamic linkers use lazy loading of libraries, such that the openssl
>> libraries would not actually be mapped in to the process address space
>> until one of its functions is called.  If, as per assumption, the
>> application does not use any ssl related features of curl, the openssl
>> libraries would never be touched, except for a possible scan of its
>> symbol table.  The openssl libraries could be replaced by another
>> library containing dummy entries for all the required symbols and the
>> curl using application would still function correctly.  How the
>> presence or absence of a particular library at runtime could possibly
>> change the derivedness of a some program from said library is beyond
>> my comprehension.
>
> I didn't say anything about derived works.  Neither does the GPL when
> talking about source code.
>
> The GPL also doesn't define source code to include "all modules it
> uses", it defines it to include "all modules it contains".

Could you please explain to me how something linked against libcurl
contains openssl?

-- 
Måns Rullgård
mru@mru.ath.cx

Reply to:

Follow-Ups:
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: David Schleef <ds@schleef.org>

References:
- GPL-licensed packages with depend-chain to OpenSSL
  - From: Daniel Stenberg <daniel@haxx.se>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Steve Langasek <vorlon@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: "Francesco P. Lovergine" <frankie@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Steve Langasek <vorlon@debian.org>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Måns Rullgård <mru@mru.ath.cx>
- Re: GPL-licensed packages with depend-chain to OpenSSL
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: GPL-licensed packages with depend-chain to OpenSSL
Next by Date: Re: Choice-of-Venue is OK with the DFSG.
Previous by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Next by thread: Re: GPL-licensed packages with depend-chain to OpenSSL
Index(es):
- Date
- Thread