[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#110607: Security Issues due to OpenSSL/GPL License Issues


I was going to forward this on to debian-legal before but wasn't sure how to do it in a BTS friendly way. If anyone has anything particularly useful to say on the subject, please cc in 110607@bugs.debian.org

Refer to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=110607 for the history.

 - samj

Begin forwarded message:
On Sun, Nov 04, 2001 at 01:48:05AM +1100, Sam Johnston wrote:

netatalk's lack of crypto support due to the obnoxious openssl license
is most annoying.

I agree.

what is possibly more annoying is that it is difficult
to compile the debian package from source with ssl support.

What are the exact problems? Isn't it enough to remove --without-ssl-dir
from the configure flags in debian/rules? Nevertheless I will add a
simple variable to the rules, which, when set, will enable netatalk to
link against OpenSSL.

according to the openssl faq, we would be able to include ssl support if
openssl* was included in main.

What does debian-legal say about that?

there is an ongoing discussion about this
now and if the answer is 'yes crypto will be OK in woody' (last i heard
was yes for crypto in main, but not necessarily in time for woody) then
we should be able to churn out some netatalk packages with ssl support.

I hope so.

alternatively we can have the netatalk people exempt linking against
openssl, if they haven't already. *checks*. hmm... don't see any mention of the GPL in there... am I missing something? according to sourceforge,
netatalk is covered by a BSD license.

It was decided by the Netatalk project that Netatalk is GPL'ed from
version 1.5pre8. This is mainly a concession to people who don't want to
contribute to Netatalk if their code is not protected by the GPL. It's
also necessary, since it's planned to include code from Samba, which is
under the GPL, too. The latter also makes it impossible to add an
exception clause to the license, since the Samba team as well as any
contributor had to agree to that clause. In the case of the Samba team
that's unlikely.

But I currently work on separating out the parts that require SSL so
that these parts can be put into a separate package, which does only
contain non-GPL'ed parts.

 - Sebastian

Reply to: