Re: libapache2-mod-security2
Hi Gary,
On Friday 15 February 2008, Gary Koskenmaki wrote:
> Why was the subject of this email completely dropped from the
> Debian archives? This is an extremely useful tool. I understand
> why it isn't in main, but why couldn't it just have been moved to
> non-free rather than being dropped? Debian carries completely
> proprietary packages such as flash, ati drivers, nvidia drivers,
> etc... so why the complete dropping of such an excellent security
> tool?
The problem that modsecurity is licensed under GPL v2 which is not
compatible with the Apache license 2.0. It is not allowed to
distribute Apache 2 and modsecurity together, and (AIUI) Debian
thinks that even if modsecurity were put into non-free, it would
still be distributed together with Debian main which includes Apache
2. From
http://www.thinkingstone.com/about/legal/licensing-clarifications.html:
"However, it is not possible to combine ModSecurity licensed under
GPLv2 with the Apache web server and distribute the combination.
There is an incompatibility between GPLv2 and the Apache licences
that is triggered when distribution takes place."
From
https://bugs.launchpad.net/ubuntu/+source/libapache-mod-security/+bug/19832:
"Actually, Alberto González did contact upstream, who stated he isn't
willing to change the licence, and the conflict between them is on
purpose (business decision)."
> I don't really understand the logic of the decision in the context
> of non-free repositories being available.
It's the decision of the modsecurity authors.
Also, Debian non-free does not have security support. Distributing a
security tool that might need security updates in non-free would be
suboptimal anyway.
Cheers,
Stefan
Reply to: