[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

IMPORTANT: OpenSSl (and associated libraries) appears incompatible with GPL applications


Today, Branden Robinson, Steven Gore, and Oliver Bolzer were discussing
the licence issues of a package that Oliver wished to package. However,
upon reading the licence of openssl (which the program, GPL'd, links against.)

Branden Robinson is Overfiend
Steven Gore is sgore
Oliver Bolzer is OliB
I am woot.

We are all too tired, or rushing off somewhere, so I agreed to post this
(edited for clarity, full transcript available on request) log.

20:04:44 <OliB> I got this nice GPL program that uses OpenSSL, which is BSD w/ advertising, this is not OK?
20:05:03 <Overfiend> OliB: it is not OK
20:05:22 <Overfiend> OliB: clause 3 of the 4-clause BSD license in incompatible with the GPL, because it is an "extra restriction"
20:05:33 <Overfiend> s/in in/is in/
20:06:09 <OliB> overfiend: dynamic linking also ?
20:06:24 <Overfiend> OliB: the FSF regards dynamic linking as creating a derivative work.
20:06:41 <Overfiend> OliB: in general, people don't argue with them about that.
20:07:00 <sgore> OliB: I'm confused.. are you saying that the app is BSD w/advertising, or that openssl is BSD w/advertising?
20:07:00 <Overfiend> OliB: who is the copyright holder on OpenSSL?
20:07:21 <Overfiend> sgore: good point
20:07:21 <sgore> openssl is in non-us/main
20:07:35 <Overfiend> sgore: 4-clause BSD is DFSG-free.  Just not GPL-compatible.
20:07:56 <sgore> ah
20:07:56 <Overfiend> warning, acronym overload
20:07:56 <OliB> sgore: the app is GPL and currently statically linking OpenSSL
20:07:59 <Overfiend> what is the license on OpenSSL?
20:08:09 <Overfiend> I see it
20:08:10 <Overfiend> nm
20:08:49 <Overfiend>  * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
20:08:49 <Overfiend> gack
20:08:49 <Overfiend> this is not a BSD license
20:08:49 <Overfiend> it's derived from one, though
20:09:02 <Overfiend> I think this license may have problems.
20:09:07 <Overfiend> This way sucks.  OpenSSL is important.
20:09:07 <OliB> overfiend: i interpreted it as BSD-style
20:09:16 <sgore> looks confused to me
20:09:18 <Overfiend> OliB: it is, but the devil is in the details, not the style
20:10:01 <Overfiend> clauses 4 and 5 are additions that do not appear in any actual BSD license
20:10:06 <OliB> overfiend: on a quick apt-cache showpkg libssl09, there seem to be GPL programs depending on it
20:10:08 <Overfiend> even with the proper nouns replaced
20:10:24 <sgore> OliB: many do
20:10:38 <Overfiend> OliB: this could be a problem.  The GPL says that the "entire work" must be distributable under the terms of the GPL.
20:10:46 <Overfiend> This would appear not to be the case.
20:10:53 <sgore> OliB: openssl (as Overfiend said) is *important*
20:10:55 <Overfiend> It is the inverse of the Qt problem.
20:11:35 <Overfiend> Clause 3 is not enforceable in the United States, according to lawyers for the University of California.
20:11:48 <Overfiend> (so I have heard -- I remain frustrated in my efforts to find a citation for that opinion)
20:12:13 <sgore> clause 4 seems almost non-free
20:12:17 <Overfiend> yes
20:12:33 <Overfiend> sgore: technically, RMS doesn't care if people use trademark law for that sort of thing
20:12:38 <Overfiend> he regards it as orthogonal
20:12:47 <Overfiend> but these are clearly conditions of the copyright license
20:12:53 <Overfiend> not a separate trademark license
20:12:53 <sgore> We can't even say "Debian 2.2 includes OpenSSL" without prior permission.
20:13:18 <Overfiend> I think is a problem.
20:13:27 <Overfiend> I'm trying to think of ways it isn't, and I'm not coming up with any.
20:13:41 <Overfiend> s/is a problem/this is a problem/
20:14:02 <sgore> this needs to go to legal
20:16:57 <Overfiend> OliB: you have my permission to post everything I've said in this channel since "<OliB> I got this nice GPL program that uses OpenSSL, which is BSD w/ advertising, this is not OK?"; please post to -legal
20:17:27 <OliB> overfiend: i have posted to -legal about my specific case but no answer after 2 weeks
20:17:40 <Overfiend> OliB: hopefully sgore will do the same; post our conversation, MIME-attach /usr/doc/openssl/copyright
20:18:07 <Overfiend> OliB: put "IMPORTANT:" in the subject line
20:18:22 <Overfiend> openssl is rapidly becoming fundamental
20:18:34 <Overfiend> we need to get this straightened out ASAP
20:22:39 <Overfiend> OliB: clauses 3, 4, and 5 are GPL incompatible
20:22:39 <sgore> I thought the ftp admins were supposed to check licences of new packages.  I thought that's one of the reason new packages had to be vetted by hand.
20:22:44 <Overfiend> OliB: clauses 1, 2, and 6 are perfectly all right (they comprise the "new" 3-clause BSD license)
20:22:51 <Overfiend> well, shit
20:23:06 <woot> Subject: IMPORTANT: OpenSSL (and associated libraries) appear to restrict further use of different licences
20:23:09 <woot> ?
20:23:47 <Overfiend> look at Eric Young's original copyright
20:23:47 <Overfiend> this is very blatant
20:23:47 <Overfiend>  * The licence and distribution terms for any publically available version or
20:23:47 <Overfiend>  * derivative of this code cannot be changed.  i.e. this code cannot simply be
20:23:47 <Overfiend>  * copied and put under another distribution licence
20:23:47 <Overfiend>  * [including the GNU Public Licence.]
20:23:47 <Overfiend> Bah, Eric Young appears to have used the old 4-clause BSD license as a deliberate act of sabotage against GPL'ed apps using this library


  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
  the OpenSSL License and the original SSLeay license apply to the toolkit.
  See below for the actual license texts. Actually both licenses are BSD-style
  Open Source licenses. In case of any license issues related to OpenSSL
  please contact openssl-core@openssl.org.

  OpenSSL License

/* ====================================================================
 * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"




Edward C. Lang   woot on various channels on irc.openprojects.net
edlang@pcug.org.au - Normal mail. Most stuff ends up here anyway.
edlang@debian.org  - Debian mail. Finger this address for keys.
woot@zork.net edlang@manuka.net - Other email addresses.    TINC.

Reply to: