Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
- To: Paul Wise <pabs@debian.org>
- Cc: Luca Boccassi <bluca@debian.org>, Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, Michael Biebl <biebl@debian.org>, 995636@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, Debian Development <debian-devel@lists.debian.org>
- Subject: Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
- From: Ansgar <ansgar@debian.org>
- Date: Wed, 06 Oct 2021 22:17:35 +0200
- Message-id: <[🔎] 87fstdhpr4.fsf@43-1.org>
- Mail-followup-to: Paul Wise <pabs@debian.org>, Luca Boccassi <bluca@debian.org>, Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, Michael Biebl <biebl@debian.org>, 995636@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>, Debian Development <debian-devel@lists.debian.org>
- In-reply-to: <[🔎] CAKTje6EiWdxBAFEL5xbNBOph-3NUUL9wq6nhzTQm6W05Yk7yZA@mail.gmail.com> (Paul Wise's message of "Wed, 6 Oct 2021 15:08:32 +0000")
- References: <YVmpM0q3pFiqVmZ6@roeckx.be> <[🔎] df1ffbc8-d5ff-3260-3140-70e16dfda1b8@debian.org> <[🔎] 20211005190416.w62uaemol7ocooxg@flow> <[🔎] 50142ab04201ce047ab807916f5bb2dbc664b362.camel@debian.org> <[🔎] CAKTje6EiWdxBAFEL5xbNBOph-3NUUL9wq6nhzTQm6W05Yk7yZA@mail.gmail.com>
Paul Wise writes:
> On Wed, Oct 6, 2021 at 11:30 AM Luca Boccassi wrote:
>> On Tue, 2021-10-05 at 21:04 +0200, Sebastian Andrzej Siewior wrote:
>> > Additionally OpenSSL is considered system library, see
>> > https://bugs.debian.org/951780
>> > https://bugs.debian.org/972181
>>
>> Even if that interpretation holds, and it's not a universal
>> interpretation (eg: lawyers from Canonical strongly disagree as far as
>> I know), again that applies to first-party binaries only as far as I
>> understand. It's not as clear-cut with libraries used by third parties.
I believe Canonical also ships GPL-2-only programs linked (possibly
indirectly) to OpenSSL as part of their Linux distribution these days.
> As I understand it, it is meant only for binaries distributed by
> parties other than the one distributing the system containing the
> "system library". So third-party app distributors are fine to ignore
> the incompatibility between a GPL app and a proprietary libc, but the
> OS vendor can't include GPL apps linked to that proprietary libc
> within their system.
Debian uses many GPL-2-incompatible system libraries: for example
GPL-3-or-later libraries such as libstdc++ or libgcc or gnutls[1].
Debian also ships many GPL-2-only programs using these.
So if this was considered a problem, then the problem would be quite
large.
[1]: gnutls could be made LGPL-2.1-or-later by rewriting the
GPL-3-or-later build scripts; note that GPL-2 states that "complete
source code" includes "scripts used to control compilation and
installation of the executable"
> I believe OpenSSL 3's choice of the Apache 2 license only improves
> compatibility, it doesn't reduce it. GPLv3 is supposedly compatible
> with Apache 2, so GPLv3 and GPLv2+ programs are newly compatible with
> OpenSSL 3. Most existing GPLv2-only programs that use OpenSSL will
> have the exception anyway.
This depends on what you mean by "use OpenSSL": if program use OpenSSL
directly, maybe; if programs link to OpenSSL indirectly, for example via
dependency chains such as my-program -> some-library ->
some-library-implementing-some-network-protocol -> OpenSSL this becomes
increasingly unlikely the longer the chain is. Also people seem to keep
adding TLS support to more and more libraries, so such a dependency can
just silently appear later.
Python programs using OpenSSL also usually don't have such an exception.
🐾,
Ansgar
Reply to: