Hi all, this "GnuTLS in Debian" thread triggered my switch of the src:cups package from linking against GnuTLS to now link against OpenSSL. CUPS is GPL-2 only with an OpenSSL exception. Today, Andreas rightly pointed to me that this induces a problem (for Debian) for all GPL-without-OpenSSL-exception programs linked against libcups2. As far as I understand our current stance on that problem, GPL-licensed programs without an OpenSSL exception are absolutely forbidden to link with it, even indirectly. Now, for the actual situation: I initially switched cups following my option 0) aka: 0) "move away from GnuTLS as its newer versions are incompatible with GPL-2, use OpenSSL as cups is allowed to be linked against it" … but I had overlooked the indirect linking problem. Now, as far as I understood the thread, there are suggestions floating around to stop caring about this incompatibility and just consider "as a project" that OpenSSL is a system library, but this decision hasn't been formally taken yet. So as far as CUPS is concerned, I see three ways forward: 1) revert the switch to OpenSSL and link against GnuTLS 2. This basically postpones the question to the moment when GnuTLS 2 is removed from Debian. As I understood the thread, GnuTLS 2 is likely to be removed from testing before the freeze, right? 2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and CUPS is GPL-2 only. 3) report RC bugs against all packages linking against libcups2 which licenses don't allow indirect linking to OpenSSL (mostly GPL- -without-OpenSSL-exception) and hope that fixes can be found license- -wise. There are >= 38 packages build-depending on libcups2-dev and >= 120 packages depending on libcups2. Also, I am not aware of tools to detect this incompatibility automatically. I also doubt we'll be able to find solutions for all packages; yet libcups2 is quite important in desktop stacks. So there is apparently no good solution on the long-term if the need for OpenSSL exceptions isn't waived. For now, I'm leaning towards solution 1) to avoid willingly introducing dozens of RC bugs in testing when libcups2 enters testing (unless I create a "maintainer RC bug" blocked by all the 3)-created bugs). I would really welcome opinions and advices on this matter. Many thanks in advance, cheers, OdyX
Description: This is a digitally signed message part.