[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Gaim-Encryption plugin violates Gaim's license

(cc'ing debian-devel to discourage people from ITPing this, or filing more
wishlist bugs on Gaim for me to include it, cc'ing Gentoo's maintainer
for the Gaim emerge because they include Gaim-Encryption, cc'ing
gaim-devel so everyone there knows, cc'ing fedora-devel because they
currently ship the plugin, and cc'ing the author of the plugin itself)

As a preamble if I just gatecrashed your mailbox or mailing list without
warning, I am the Debian package maintainer for Gaim, as well as a
frequent contributor to upstream development. I have just found out
today that the Gaim-Encryption plugin for Gaim, which can be found at
http://gaim-encryption.sourceforge.net/, makes use of the OpenSSL
library, and loads it into the same process space as Gaim.

Due to OpenSSL's four-clause BSD license (ie with the advertising clause),
it is therefore in violation of Gaim's GPL license because the OpenSSL
licence places an extra restriction beyond those allowable by the GPL.
The Debian project will not distribute code of this nature, especially
given that several Gaim developers (myself included) agree with the Debian
project's position on this, and this message constitutes us contacting
other distributors and the plugin author with this information.

The problem could be solved by the Gaim license being changed to include a
specific exception for OpenSSL, but even if we wanted to do it, it would
be practically impossible due to the innumerable contributors that Gaim
has had over time, all of whom would have to be contacted and consent to
a licensing change. This is the same reason that OpenSSL can't remove the
obnoxious 4th clause even if they wanted to.

Other possible ways to resolve this problem are to make Gaim-Encryption
use a GPL-compatible library such as GNUTLS, which Gaim plans to use for
secure Jabber connections at some point in the future when it compiles
on more non-GNU platforms, or to split the OpenSSL-linked code into a
helper process which communicates with Gaim via a pipe or socket (in
GLib, g_spawn_async_with_pipes will do this nicely, with one process per
encrypted session for example) and is licensed under the LGPL or GPL with
a specific exception for OpenSSL. The latter solution is used by Konqueror
without problems.

Incorrect ways to deal with this are ignore the problem or argue about
it endlessly on mailing lists. For more information, see countless legal
wrangling threads on mailing lists like debian-legal. One good example is:
Take good note of the part that says it's easier to solve this in code
than by discussion.

For misinformation, read the OpenSSL FAQ which claims that OpenSSL is
shipped with most operating systems and therefore falls under the GPL's
exception for OS components. I interpret this to mean the kernel and
shell, and libraries inbetween, and because it is specifically named in
the GPL text, the compiler. It is certainly very easy to install Debian
or any other distro without OpenSSL being present. The same is also
doubtlessly true for any number of non-Linux platforms, not least Windows,
where both Gaim and Gaim-Encryption are available in binary form, and
OpenSSL is certainly not part of the OS!


Attachment: pgpD8M8u6gWOK.pgp
Description: PGP signature

Reply to: