[Bartosz Fenski] > Seems that part of developers think that indirect linking with > OpenSSL is ok, and part think it's not. Yeah. Well. Stand back and look at why this 'linking' thing matters in the first place. The point is to determine whether one work is a "derivative" of another work. If it is not, copyright law doesn't let the author of the second work have any influence on the licensing of the first. If you link to libldap2 or libcurl3 but your program would work just as well whether or not those libraries have openssl support, it's really hard to argue that *you* are deriving your code from Eric Young or the OpenSSL project. Or vice versa. You wrote your code to call LDAP functions, or web downloading functions, you didn't care then and don't care now how those functions work. Didn't care then and don't care now whether they can utilize https:// or ldaps:// at runtime. The functions themselves were licensed to you in a manner you could use. The whole "linking is deriving" thing is shaky for other reasons too. For instance, it's pretty widely known or believed that mere interfaces can't be copyrighted. And when you get right down to it, when your program uses a library, it's really just using the published interface. But that's an argument for another day, and probably another list. > What is an official statement? There is none. Debian generally errs very conservatively with regard to license violations, though, because of the Tentacles of Evil principle. That is: if we ship some software and the authors don't mind how we're doing it but we're technically in violation of some license provision - and later one of the authors is bought out by some Big Evil Corporation - then the B.E.C. can cause a lot of trouble for Debian and our users. This is a situation Debian tries very hard to avoid.
Description: Digital signature