[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuTLS in Debian

Clint Byrum <spamaps@debian.org> writes:

> An author is not the only party to text. There are also those who have
> received this license, and adhered to it for the sake of the author and
> the copyright holders who have also adhered to it.

> So, it is rather disrespectful and could cause harm to those who have
> worked within the confines of the text to at some point ignore the text.
> I'm not suggesting it _will_ cause harm, but it may. In fact, RedHat has
> harmed Debian and enriched themselves by ignoring it.

This strikes me as equivalent to a long-distance runner who insists on
running barefoot due to an idiosyncratic understanding of the rules of the
race that isn't shared by anyone else, including the judges, and then gets
upset at the other runners for winning while wearing shoes.  (Analogy
intentionally chosen because it is possible to compete and win in
long-distance races barefoot, but most runners don't.)

Red Hat is not responsible for our license interpretations.  If the rest
of the world doesn't care, standing by our interpretation looks less like
ethics and more like masochism.

> So Debian is now in an odd position. If it were to reverse position,
> those users who have been diligently adhering to the license and
> expending resources would be at a disadvantage to new users who won't
> have to deal with that.

Those users who have been diligently adhering to the license may well be
doing things they don't have to do, and discovering that they don't have
to do a bunch of work that they've been doing should be a cause for
*relief*, not anger.

Please, let's not get so invested in what we've done previously that we
distort our thinking so far as to think that good news is actually bad
news.

> If the original authors would like to clarify their position (oh god
> please OpenSSL change your license!), then this conflict of interest
> would go away. But I suspect this has been argued to them before.

There is no way to change the OpenSSL license.  The project doesn't use
copyright assignment and the number of contributors is far too large to be
able to track them all down and get their permission.

> Is it inconvenient? Absolutely. Should we change it? Well, last I
> checked we do take votes on major issues.

There are two angles to this question.  One is whether we really do run a
legal risk, which is something that should be answered by lawyers, and is
not something on which we should vote.  If it's not legally advisable to
combine the code, that's the end of the matter as far as I'm concerned,
but I think we should ask a real lawyer and not rely on careful parsing of
the licenses in question.  As Faidon pointed out, doing that often
produces incorrect results in real-world legal systems.

If a lawyer tells us we're being overly cautious, then the other angle is
whether we want to continue to be unnecessarily cautious out of a sense of
ethics, or just because we want to keep doing what we've always done and
don't like change for some reason.  If we get to that point, by all means,
let's have a GR.  I will be stunned if the project decides to insist on
not using OpenSSL given legal advice that it's not a legal concern.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: