(cc'ing debian-devel to discourage people from ITPing this, or filing more wishlist bugs on Gaim for me to include it, cc'ing Gentoo's maintainer for the Gaim emerge because they include Gaim-Encryption, cc'ing gaim-devel so everyone there knows, cc'ing fedora-devel because they currently ship the plugin, and cc'ing the author of the plugin itself) As a preamble if I just gatecrashed your mailbox or mailing list without warning, I am the Debian package maintainer for Gaim, as well as a frequent contributor to upstream development. I have just found out today that the Gaim-Encryption plugin for Gaim, which can be found at http://gaim-encryption.sourceforge.net/, makes use of the OpenSSL library, and loads it into the same process space as Gaim. Due to OpenSSL's four-clause BSD license (ie with the advertising clause), it is therefore in violation of Gaim's GPL license because the OpenSSL licence places an extra restriction beyond those allowable by the GPL. The Debian project will not distribute code of this nature, especially given that several Gaim developers (myself included) agree with the Debian project's position on this, and this message constitutes us contacting other distributors and the plugin author with this information. The problem could be solved by the Gaim license being changed to include a specific exception for OpenSSL, but even if we wanted to do it, it would be practically impossible due to the innumerable contributors that Gaim has had over time, all of whom would have to be contacted and consent to a licensing change. This is the same reason that OpenSSL can't remove the obnoxious 4th clause even if they wanted to. Other possible ways to resolve this problem are to make Gaim-Encryption use a GPL-compatible library such as GNUTLS, which Gaim plans to use for secure Jabber connections at some point in the future when it compiles on more non-GNU platforms, or to split the OpenSSL-linked code into a helper process which communicates with Gaim via a pipe or socket (in GLib, g_spawn_async_with_pipes will do this nicely, with one process per encrypted session for example) and is licensed under the LGPL or GPL with a specific exception for OpenSSL. The latter solution is used by Konqueror without problems. Incorrect ways to deal with this are ignore the problem or argue about it endlessly on mailing lists. For more information, see countless legal wrangling threads on mailing lists like debian-legal. One good example is: http://lists.debian.org/debian-legal/2002/debian-legal-200210/msg00113.html Take good note of the part that says it's easier to solve this in code than by discussion. For misinformation, read the OpenSSL FAQ which claims that OpenSSL is shipped with most operating systems and therefore falls under the GPL's exception for OS components. I interpret this to mean the kernel and shell, and libraries inbetween, and because it is specifically named in the GPL text, the compiler. It is certainly very easy to install Debian or any other distro without OpenSSL being present. The same is also doubtlessly true for any number of non-Linux platforms, not least Windows, where both Gaim and Gaim-Encryption are available in binary form, and OpenSSL is certainly not part of the OS! Regards, Rob
Attachment:
pgpD8M8u6gWOK.pgp
Description: PGP signature