Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, Michael Biebl <biebl@debian.org>, 995636@bugs.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>, Debian Development <debian-devel@lists.debian.org>
Subject: Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 06 Oct 2021 12:29:38 +0100
Message-id: <[🔎] 50142ab04201ce047ab807916f5bb2dbc664b362.camel@debian.org>
In-reply-to: <[🔎] 20211005190416.w62uaemol7ocooxg@flow>
References: <YVmpM0q3pFiqVmZ6@roeckx.be> <YVmpM0q3pFiqVmZ6@roeckx.be> <[🔎] df1ffbc8-d5ff-3260-3140-70e16dfda1b8@debian.org> <[🔎] 20211005190416.w62uaemol7ocooxg@flow>

On Tue, 2021-10-05 at 21:04 +0200, Sebastian Andrzej Siewior wrote:
> On 2021-10-05 20:03:49 [+0200], Michael Biebl wrote:
> > Hi Kurt, hi Luca, hi everyone,
> Hi Michael,
> 
> > That said, I'm not a lawyer and reading license texts hurts my brain.
> > So my goal is is mainly to raise awareness of this issue and seek input from
> > the community.
> 
> GPL code which linked against OpenSSL usually has a "gpl-exception
> clause for OpenSSL". This should be still accepted since it refers
> specifically to OpenSSL.

Many projects do not have that. Also to be extremely pedantic it needs
to be checked if it just references OpenSSL as a project, or
specifically the OpenSSL license which is a specific and well defined
document: https://spdx.org/licenses/OpenSSL.html AFAIK there's no
"standard" clause, everyone uses their own wording, more or less.

More importantly, as far as I understand and I was told recently these
are not transitive - ie, it's fine for an executable, but if it
concerns a library, it does not "transfer" to external programs linking
to that library.

> Additionally OpenSSL is considered system library, see
>   https://bugs.debian.org/951780
>   https://bugs.debian.org/972181

Even if that interpretation holds, and it's not a universal
interpretation (eg: lawyers from Canonical strongly disagree as far as
I know), again that applies to first-party binaries only as far as I
understand. It's not as clear-cut with libraries used by third parties.

The core issue as always is uncertainty: any time there are doubts and
conflicting interpretations, we all lose, especially our users, and
especially those that are then forced to have awkward conversations
with their corporate lawyers. Which is why it's really unfortunate that
, in order to fix compatibility issues with the GPL, among all the
permissive licenses available out there, the OpenSSL project picked the
_one_ that has serious compatibility questions with the GPL :-(

But of course this doesn't mean we shouldn't move to the new version,
quite the contrary - I'll simply be careful about the projects I am
involved in and what it means for them and their license clarity, and
what I can do to make it better, if anything.

-- 
Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
  - From: Paul Wise <pabs@debian.org>

References:
- OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
  - From: Michael Biebl <biebl@debian.org>
- Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Re: best practice system setup and some concept ideas - /root (OS) /home (data) re-play changes and and /etc/config after re-install with new distro version?
Next by Date: Bug#995813: ITP: qt6-shadertools -- APIs and tools to provide functionality for the shader pipeline
Previous by thread: Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
Next by thread: Re: OpenSSL 3.0 - Apache 2.0 vs GPL 2 (Re: Bug#995636: transition: openssl)
Index(es):
- Date
- Thread