Hi Kurt, hi Luca, hi everyone,regarding the impending transition to OpenSSL 3.0 in unstable (which is now licensed under Apache 2.0), I wonder what that means for Debian, given that apparently GPL-2 (and also LGPL-2) and Apache 2.0 are incompatible with each other.
If I read Luca correctly[1], any library or executable using GPL-2+ effectively becomes GPL-3+ once they link against OpenSSL 3.0. And especially for libraries, this would have a ripple effect through the whole distribution and cause issues e.g for GPL-2 only packages.
Fwiw, I'm surprised that this also apparently affects LGPL-2. That said, I'm not a lawyer and reading license texts hurts my brain.So my goal is is mainly to raise awareness of this issue and seek input from the community.
Regards, Michael Am 03.10.21 um 14:59 schrieb Kurt Roeckx:
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: transition Hi, We would like to transition to OpenSSL 3.0.0. It's currently in experimental. It has an soname change, so the binary packages got renamed and binNMUs will be required. We did a rebuild of packages and currently have 105 packages that FTBFS with OpenSSL 3.0.0 that build with 1.1.1. I've started filing bugs for that: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=pkg-openssl-devel@lists.alioth.debian.org&tag=ftbfs-3.0 Kurt
[1] https://github.com/systemd/systemd/pull/20915
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature