[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interest in packaging GNU Shishi and GNU Generic Security Service?

Russ Allbery <rra@stanford.edu> writes:

> Simon Josefsson <jas@extundo.com> writes:
>> Steve Langasek <vorlon@debian.org> writes:
>>> I notice from
>>> <http://josefsson.org/cgi-bin/viewcvs.cgi/shishi/README?rev=1.30&view=markup>
>>> that this lib is distributed under the terms of the GPL only, so I have
>>> my doubts that it's particularly useful for Debian to adopt it.  Is
>>> there any particular reason that GNU shishi is not made available under
>>> the LGPL?
>> Some reasons are given in [1].  I don't quite follow.  Is there a
>> problem with GPL'd software in Debian?
> The problem is that you're drastically limiting what other software can
> use the library.  For example, there would be no way that Debian could
> link Cyrus SASL with shishi, because Cyrus SASL is used by a wide variety
> of other packages including some that are not GPL-compatible.  No package
> that uses shishi could also use OpenSSL.  No package that uses shishi
> could, as I understand it, use it as part of an Apache module.  There are
> lots of other, similar cases.

I see, right.  I note that a similar problem already exist, because
Heimdal links with OpenSSL.  So it appears that code licensed under
GPL could not link with Heimdal.  (A rdepend suggest e.g. lsh-server
contain GPL code that link with OpenSSL through Heimdal)

> As a result, shishi is going to basically be a curiosity, not a serious
> Kerberos alternative for Debian.  Given the difficulty involved in
> building multiple versions of packages to allow a choice of Kerberos
> implementations (if you look through Debian, you'll find that the ability
> to use Heimdal or MIT Kerberos exclusively is already rather spotty and
> some significant packages are only really maintained with one or the
> other), the addition of licensing problems means that there's basically no
> motivation for anyone to try to use shishi.

One motivation would be to get the unique features that Shishi has
that the other Kerberos implementation has.  E.g., non-ASCII support,
X.509/OpenPGP authentication through GnuTLS.

> Most of the motivations for making a library GPL rather than LGPL do not
> apply to shishi, since no one is going to free their software just to be
> able to use shishi.  They're going to shrug and just use MIT Kerberos or
> some other implementation with a permissive license instead.

You have a point, and I'll consider switching to LGPL for the core
library.  Perhaps a model like the one for GnuTLS is appropriate,
where the unique features has been separated into a GPL'd library.


Reply to: