Re: GnuTLS in Debian

To: debian-devel@lists.debian.org
Subject: Re: GnuTLS in Debian
From: Clint Adams <clint@debian.org>
Date: Mon, 23 Dec 2013 22:43:54 +0000
Message-id: <20131223224354.GA9871@scru.org>
Mail-followup-to: Clint Adams <clint@debian.org>, debian-devel@lists.debian.org
In-reply-to: <87a9fr5l3f.fsf@windlord.stanford.edu> <CANBHLUgmSLOX8xWZy8c0sovHQsX=e-4fdtvWm_wK76fYmL7E3g@mail.gmail.com> <87eh535m1v.fsf@windlord.stanford.edu> <20131223202411.GA10229@virgil.dodds.net>

On Mon, Dec 23, 2013 at 12:24:11PM -0800, Steve Langasek wrote:
> Which crypto library has a non-awful API?

Many of the native Haskell crypto libraries do.  I am aware
that that is a somewhat unhelpful answer.

> I think you've managed to invert my point here, actually, which was that
> when someone licenses their work under *the GPL*, we should respect their
> wishes - even though it would make our lives a lot easier to be able to ship
> binaries linked against OpenSSL.

There are two roles a free software license plays.  One is the actual
copyright license under a legal regime that legitimizes extortion and
coercion based on artificial scarcity, occasionally used as a weapon
in disputes inside and outside of courtrooms.  The other is that of
a social contract between the developers and the amorphous and nebulous
free software community.

One of these is important, and one we violate all the time.  Debian is
violating the letter of the GPL constantly, and the GPL is something
that people sue over.  I would bet that nobody would sue over BSD
violations, but I would also have bet that nobody would sue over
the Artistic License, and that's happened.  I'm sure we're violating
permissive licenses too, regardless of legal risk.

When I release something under the GPL I'm not promising to sue you
if you don't distribute your modifications clearly marked and dated.
I'm indicating my intention that all derivative works must be GPL'd.

On Mon, Dec 23, 2013 at 12:50:36PM -0800, Russ Allbery wrote:
> Incidentally, one of the problem packages, Git, also has the same problem
> with relicensing: there are lots of copyright holders, and therefore no
> easy mechanism to add a license exception.

I believe Git has at least one copyright holder who is a pigheaded
contrarian or the license could be fixed to have an "or later".

On Mon, Dec 23, 2013 at 08:58:36PM +0000, Dimitri John Ledkov wrote:
> While I'd want to agree, on the other side we have FSF with the GNU
> Project that purposely restrict license terms, resulting in in
> GPLv2-only software not able to use any recent crypto library.

GPLv2-only folks should be made to see how their antisocial
behavior is harming everyone.  I think this is a delightful
situation for them to be in.

Plenty of other licenses have an "or later" baked in and nobody
whines about this at all.  I've heard plenty of people fear that
horrible things will happen with Creative Commons leadership,
yet no one is trying to redline "later" from CC-BY-SA.

But since the GPL allows it, people think it's somehow reasonable
to be v2-only.  It is not.  It has led to all manner of problems,
and for what?  People enjoying Tivoization?  Those people should
be punched in the face.  Fear of the FSF making a GPLv4 that's
the text of Apache 2.0?  Oh no, the sky is falling.

> To me it looks like FSF/GNU project are acting against the spirit of
> the free software here. Explicitly what they promise not to do with
> their copyright assignment. This is not the first time this happened
> as well. With the move to GPLv3, Apple has seized upstream gcc
> development and instead works on llvm/clang. Which imho is a technical
> loss for the project. And I can't recall the tls/CUPS issue at the
> moment.

I would say that the effort evil scumbags like Apple are putting in
to undermine GPLv3 is a pretty strong sign that everyone should be
switching to "v3 or later".

> On these grounds I have not signed FSF copyright assignment. What's
> the point, if further down the line, my software will not be available
> to be used by a wide opensource community as possible, or be limited
> in some way.

If you don't believe in the ideals of the free software movement,
then why aren't you licensing what you write under Expat or ISC?
There's a reason copyleft has restrictions.  As for copyright agreements,
I am hardly going to say that anyone should ever sign one, but
the FSF has the only good ones.

> I hope that everyone agrees that OpenSSL advertisement clause has very
> little publicity, monetary, or otherwise benefit these days. And I
> presume FSF/GNU would also see it as such. When GPLv3/AGPLv3 were in
> the process of being drafted, the drafter were well aware that linking
> with OpenSSL has not been resolved, on blanket or on opt-out basis.
> E.g. I pretty sure the world would not collapse if a new revision of
> GPLv3.x license terms have "This product includes software developed
> by the OpenSSL Project for use in the OpenSSL Toolkit.
> (http://www.openssl.org/)" unless otherwise stated and have the
> appropriate OpenSSL licensing exception. And it would truly become a
> relief.

All advertisement and attribution clauses should be banned from
this planet.  They're conceptually awful and we rarely comply
with them anyway.  OpenSSL is awful.  We should not cater to it.
OpenSSL should change its license to something friendlier.
I don't know what would motivate them sufficiently to do so.

> In the spirit, of open source, and specifically in support of
> (AL)GPLv2 software, FSF/GNU are positioned to make (AL)GPLv3 software
> backwards compatible, enough to link against. Such that, e.g.

That completely nullifies the improvements in v3.  If you make
v3 downgradeable to v2 then you could legally tivoize my GPLv3+
library.  I don't want you to tivoize my GPLv3+ library.  If you
tivoize my GPLv3+ library, you are ignoble.

> Designing v3 license terms, to be incompatible with v2, looks to me as
> an "embrace, extend and extinguish" tactic, except it seems to
> targeted at the open source software movement itself, that the FSF
> helped to establish.

No, the FSF helped to establish the Free Software movement.  The
Open Source movement is a bunch of people who don't understand
why Free Software is important.  Open Source folks want to
"embrace, extend and extinguish" the Free Software movement
whether they know it or not, hence your implication that they
are the same thing.

> "License Must Not Be Specific to Debian" or, imho, any specific
> projects, because well it's in-feasible and is causing real problems
> for distributions. Maybe it is finally time to fix GPL?!

Well, there's always https://gitorious.org/copyleft-next I guess.

Reply to:

Follow-Ups:
- Re: GnuTLS in Debian
  - From: David Weinehall <tao@debian.org>

References:
- Re: GnuTLS in Debian
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: GnuTLS in Debian
Next by Date: Bug#733010: ITP: ruby-docile -- Docile keeps your Ruby DSLs tame and well-behaved
Previous by thread: Re: GnuTLS in Debian
Next by thread: Re: GnuTLS in Debian
Index(es):
- Date
- Thread