[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Berkeley DB 6.0 license change to AGPLv3

Clint Byrum <spamaps@debian.org> writes:

> I do think AGPL complies with all of the clauses of the DFSG. There is
> very little difference in an AGPLv3 licensed library as a GPLv3 licensed
> library.

I agree from a licensing standpoint.

I think that, from a security standpoint, an AGPLv3 license on a library
puts any software that links with that library in an extremely awkward and
surprising security situation due to the prohibition on locally patching
security vulnerabilities without disclosure.  Personally, I would decline
to package any such software for Debian for that reason.  That's the sort
of surprise that I'm not interested in springing on my users.  Those kind
of license terms are very awkward in an enterprise environment.

For example, I would consider such software undeployable at Stanford.
We're a very free-software-friendly place, but there's no way that I would
give up the right to patch security vulnerabilities whenever and however I
want without immediately disclosing the fix.  I have frequently deployed
escrowed security fixes on publicly-accessible test/dev systems for
testing purposes, and in fact consider my ability to do that a necessary
prerequisite for being able to properly support the Debian packaging.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: