[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssl and GPL

On Sun, 2002-04-21 at 19:44, Brian May wrote:
> However, I am a bit puzzled; does that mean:
> - It is OK to distribute these programs if they are seperate from
> Debian?
> - It is OK to distribute a close source package that uses GPL packages
> from Debian?

No to both, but see below.

> My feeling is that these limitations aren't on the source code, but
> the binary code. If it was only the source code, then the binary code
> wouldn't matter.
> So you can link X (GPL) against Y (BSD), but if the binary of Y is
> changed (maybe without prior notice) to link against, say openssl, then
> suddenly the original linkage breaks the GPL. Even though the original
> program (X) has not changed, and has not even been recompiled.

Linking is never a problem.  You can link X (GPL) against Y (Microsoft
EULA) if you like (and the MS EULA allows it).  The problems arise when
distributing the result.

If we're distributing Debian with X (GPL) linked with Y (new BSD) linked
with OpenSSL, then we're not in compliance with X's license, since you
cannot use X without the presence of GPL-incompatible code.  It doesn't
matter when any of that was linked.

If someone is distributing just X separately from Debian and relying on
Debian to provide Y, and Y on Debian happens to link with OpenSSL (but
can be built without it), then it would seem that everyone is OK, both
Debian and the third party - at least, until someone gets the bright
idea of distributing the pieces together.

> Come to think of it, can the GPL really say "It is Ok to distribute
> package X, but not if the version of Y supplied is linked into openssl"?

Sure it can.  Why not?

> What if several compiled versions of Y have been made available, and
> only one of these uses openssl? (lets assume that these different
> versions can be used without recompiling, and that somehow the Depends
> field allows this).

I would expect that this would be OK as long as the "default" Y doesn't
link with OpenSSL.  I'm not totally sure of that, though.

> The way I see Debians intepretation of the GPL is that it is based on
> the perspective of the end-user.

I'm not sure this is true.  As I see it, we interpret the GPL by asking 
what people distributing Debian are allowed to do.  (Including us, of

Since the GPL is a distribution license, not a use license, questions
about the end user aren't really relevant.  End users are explicitly
allowed to do whatever they want under the GPL.

> What would happen if a "Priority: required" package required OpenSSL?
> Wouldn't this defeat the point of the restrictions set by the GPL? Since
> any users would have to install openssl anyway?

Mere aggregation is explicitly allowed in the GPL.  As long as the
required package has a compatible license to OpenSSL, there's no

The GPL doesn't apply to Debian as a whole.  Debian's goals are
described in the DFSG, and since OpenSSL is DFSG-compliant, requiring
OpenSSL doesn't conflict with our goals (at least in that respect).

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: