Re: GnuTLS in Debian

To: debian-devel <debian-devel@lists.debian.org>
Subject: Re: GnuTLS in Debian
From: Clint Byrum <spamaps@debian.org>
Date: Mon, 23 Dec 2013 15:51:12 -0800
Message-id: <1387841822-sup-752@clint-HP>
In-reply-to: <8761qf75za.fsf@windlord.stanford.edu>
References: <20131222191240.GA3241@downhill.g.la> <slrnlbejcf.4q0.jmm@inutil.org> <20131222232540.GA17565@bongo.bofh.it> <20131223001556.GA6655@virgil.dodds.net> <20131223160457.GA18428@bongo.bofh.it> <1387818795-sup-6671@clint-HP> <8761qf75za.fsf@windlord.stanford.edu>

Excerpts from Russ Allbery's message of 2013-12-23 10:54:49 -0800:
> Clint Byrum <spamaps@debian.org> writes:
> 
> > An author is not the only party to text. There are also those who have
> > received this license, and adhered to it for the sake of the author and
> > the copyright holders who have also adhered to it.
> 
> > So, it is rather disrespectful and could cause harm to those who have
> > worked within the confines of the text to at some point ignore the text.
> > I'm not suggesting it _will_ cause harm, but it may. In fact, RedHat has
> > harmed Debian and enriched themselves by ignoring it.
> 
> This strikes me as equivalent to a long-distance runner who insists on
> running barefoot due to an idiosyncratic understanding of the rules of the
> race that isn't shared by anyone else, including the judges, and then gets
> upset at the other runners for winning while wearing shoes.  (Analogy
> intentionally chosen because it is possible to compete and win in
> long-distance races barefoot, but most runners don't.)
> 

This is a really confusing analogy. The runners are the end users of the
free software in question, and the GPL is the rules of the race? What is
the OpenSSL license then? How are these runners forced to resolve
ambiguous licenses exactly?

I'm not sure that analogy made things more clear for me anyway.

> Red Hat is not responsible for our license interpretations.  If the rest
> of the world doesn't care, standing by our interpretation looks less like
> ethics and more like masochism.
>

Adhering to a strict code of ethics is often fairly painful. If the GPL
licensors do not care, then they should be happy to grant an OpenSSL
exception. If the OpenSSL licensors do not care, then they should be
happy to strike the incompatible requirement from the license. And if we
do not care, then we should amend the social contract.

> > So Debian is now in an odd position. If it were to reverse position,
> > those users who have been diligently adhering to the license and
> > expending resources would be at a disadvantage to new users who won't
> > have to deal with that.
> 
> Those users who have been diligently adhering to the license may well be
> doing things they don't have to do, and discovering that they don't have
> to do a bunch of work that they've been doing should be a cause for
> *relief*, not anger.
>

It would be a relief, definitely. If it were actually clearly
discovered. Thus far, it has not been "discovered", it is only expressed
as opinions.

> Please, let's not get so invested in what we've done previously that we
> distort our thinking so far as to think that good news is actually bad
> news.
> 

If there's good news, praise the flying spaghetti monster! But I'm not
sure "the opinions of the Debian developers overrode the wishes of the
GPL authors" is "good news". More like "interesting news".

> > If the original authors would like to clarify their position (oh god
> > please OpenSSL change your license!), then this conflict of interest
> > would go away. But I suspect this has been argued to them before.
> 
> There is no way to change the OpenSSL license.  The project doesn't use
> copyright assignment and the number of contributors is far too large to be
> able to track them all down and get their permission.
>

I have heard that before, and it is unfortunate, as it would certainly
be a nice simple solution if OpenSSL just switched to a known license
such as BSD/MIT/Apache2/LGPL.

> > Is it inconvenient? Absolutely. Should we change it? Well, last I
> > checked we do take votes on major issues.
> 
> There are two angles to this question.  One is whether we really do run a
> legal risk, which is something that should be answered by lawyers, and is
> not something on which we should vote.  If it's not legally advisable to
> combine the code, that's the end of the matter as far as I'm concerned,
> but I think we should ask a real lawyer and not rely on careful parsing of
> the licenses in question.  As Faidon pointed out, doing that often
> produces incorrect results in real-world legal systems.
>

I agree with your opinions in the paragraph above entirely.

> If a lawyer tells us we're being overly cautious, then the other angle is
> whether we want to continue to be unnecessarily cautious out of a sense of
> ethics, or just because we want to keep doing what we've always done and
> don't like change for some reason.  If we get to that point, by all means,
> let's have a GR.  I will be stunned if the project decides to insist on
> not using OpenSSL given legal advice that it's not a legal concern.
>

I think you've missed that we're not trying to cover our butts. We're
trying to uphold the licenses in the spirit of the licenses. Thus far,
we've interpreted "system library" not to apply to OpenSSL. That is the
section that, if a lawyer said "probability of problems is near to 0",
we could consider revisiting.

Reply to:

Follow-Ups:
- Re: GnuTLS in Debian
  - From: Russ Allbery <rra@debian.org>

References:
- GnuTLS in Debian
  - From: Andreas Metzler <ametzler@debian.org>
- Re: GnuTLS in Debian
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: GnuTLS in Debian
  - From: md@Linux.IT (Marco d'Itri)
- Re: GnuTLS in Debian
  - From: Steve Langasek <vorlon@debian.org>
- Re: GnuTLS in Debian
  - From: md@Linux.IT (Marco d'Itri)
- Re: GnuTLS in Debian
  - From: Clint Byrum <spamaps@debian.org>
- Re: GnuTLS in Debian
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: GnuTLS in Debian
Next by Date: Re: GnuTLS in Debian
Previous by thread: Re: GnuTLS in Debian
Next by thread: Re: GnuTLS in Debian
Index(es):
- Date
- Thread