[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libapache2-mod-security2



Hi Gary,

On Friday 15 February 2008, Gary Koskenmaki wrote:
> Why was the subject of this email completely dropped from the
> Debian archives?  This is an extremely useful tool.  I understand
> why it isn't in main, but why couldn't it just have been moved to
> non-free rather than being dropped?  Debian carries completely
> proprietary packages such as flash, ati drivers, nvidia drivers,
> etc... so why the complete dropping of such an excellent security
> tool?

The problem that modsecurity is licensed under GPL v2 which is not 
compatible with the Apache license 2.0. It is not allowed to 
distribute Apache 2 and modsecurity together, and (AIUI) Debian 
thinks that even if modsecurity were put into non-free, it would 
still be distributed together with Debian main which includes Apache 
2. From 
http://www.thinkingstone.com/about/legal/licensing-clarifications.html:

"However, it is not possible to combine ModSecurity licensed under 
GPLv2 with the Apache web server and distribute the combination. 
There is an incompatibility between GPLv2 and the Apache licences 
that is triggered when distribution takes place."

From 
https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/19832:

"Actually, Alberto González did contact upstream, who stated he isn't 
willing to change the licence, and the conflict between them is on 
purpose (business decision)."

> I don't really understand the logic of the decision in the context
> of non-free repositories being available.

It's the decision of the modsecurity authors.

Also, Debian non-free does not have security support. Distributing a 
security tool that might need security updates in non-free would be 
suboptimal anyway.

Cheers,
Stefan


Reply to: