On Mon, Dec 23, 2013 at 12:50:36PM -0800, Russ Allbery wrote: > Steve Langasek <vorlon@debian.org> writes: > > I think you've managed to invert my point here, actually, which was that > > when someone licenses their work under *the GPL*, we should respect > > their wishes - even though it would make our lives a lot easier to be > > able to ship binaries linked against OpenSSL. > Which means that we should go ahead and link with OpenSSL code from > upstreams whose software is released under the GPL and who have declined > to add an exception clause because they think our request for an exception > clause is idiotic and they refuse to play along with what they consider to > be ridiculous legal interpretations? Sure, as far as I'm concerned that's a license clarification in itself. If the upstream actually has the legal authority to make such a determination for all the copyright holders, then by all means, let's take that license exception, whether or not they think it's ridiculous for us to call it a license exception. ;-) But in the case where there are multiple copyright holders, I don't think it's reasonable to do this just on the basis that the current upstream maintainer thinks it's an issue beneath their notice - there *are* people who consider this a real issue, and don't want their GPL works bundled with OpenSSL in a manner contrary to the license. > I know at least one such upstream and I suspect there are lots more. > There's a lot of software written under the GPL that explicitly and > intentionally supports being linked with OpenSSL, and I have a hard time > believing we're doing something somehow more ethical by declining to do > so. The letter of the license says that such works can be distributed in source form and linked locally against whatever the user wants to link against; and they can be distributed as stand-alone binaries that (in the GPLv2 case) link against arbitrary system libraries. But the license also says that an OS vendor can NOT link against system libraries with incompatible licenses if the binary is bundled with the OS. The wording in GPLv2 is /confusing/ because of the nested exceptions involved, but it's not ambiguous. While there are many upstreams of GPL software written to link with OpenSSL who would be happy for us to bundle binary builds of their software in Debian, it is not possible to infer this for *all* such upstream works. The FSF is one such copyright holder for which we should not infer this to be true; they had the opportunity to relax this requirement in the drafting of GPLv3, and explicitly did not. In fact, the system library exception is now defined even more narrowly than for GPLv2, so that it now covers only language runtime libraries. I think this was a poor choice on the FSF's part, but it's the choice they made, and we should honor it. > Incidentally, one of the problem packages, Git, also has the same problem > with relicensing: there are lots of copyright holders, and therefore no > easy mechanism to add a license exception. I think if we make a good-faith effort to contact all the copyright holders, have gotten the assent of all the major copyright holders, and have not gotten any NACKs, then we're meeting our ethical obligation and can in good conscience regard it as ok to build it into binaries linked against OpenSSL. I think this is ok because as you rightly point out, there are a lot of people who think this is a silly thing for us to worry about. But I think it's also not ok to distribute such binaries *without* asking, because there is a non-negligible group who doesn't consider it silly. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature