[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)

On Wed, 2002-05-22 at 06:00, Mark Purcell wrote:
> On Wed, 22 May 2002 10:40, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> > Hi, Mark.  While I don't object to linking with OpenSSL in the manner it's
> > currently done with hpoj (to satistify a libsnmp dependency, where OpenSSL
> > doesn't actually have any linkages into the hpoj code), I'm concerned that
> > the suggested exception statement is overly broad, because it doesn't
> > sufficiently define exactly what "OpenSSL" is.
> I took that suggestion straight from the OpenSSL webpage.  I would be happy 
> for you to define OpenSSL as you see fit.  I guess you could say something 
> along the lines of 'as found at http://www.openssl.org' or give a specific 
> library version number and soname.  It's really up to HP, and you as their 
> agent, as the HPOJ copyright holder.

Unfortunately, the OpenSSL webpages and FAQs on the licensing question
say lots of things, some of which may be true.  I'm not familiar with
the exact text of the site (I've heard lots of different versions), but
at least some of their opinions on the licenses are not shared by the
Debian project.

If you are looking for a sample license statement that has been
considered to be good, you might want to look at the license that the
authors of CUPS are planning to use.  A copy can currently be found at
http://www.cups.org/new-license.html.  It has additional rights you
probably aren't interested in; the main salient points are that it
describes as exactly as possible what exceptions to the GPL are allowed,
and it allows third parties to strip out the exceptions so the code can
be linked to straight-GPLed code without such exceptions.

Of course, it doesn't explain what "the OpenSSL Toolkit" is much better
than the proposed text does, so you will probably want to modify that.

> > What is the source of GPL incompatibility with OpenSSL in the first place?
> > Is it patent-encumbered code (which I would expect Debian to disable) or
> > the old-BSD-style-license "advertising clause"?
> You are right we have disabled the patent-encumbered code, otherwise OpenSSL 
> wouldn't be in Debian at all!!  
> According to http://www.openssl.org/support/faq.html#LEGAL2
> 'Some GPL software copyright holders claim that you infringe on their rights 
> if you use OpenSSL with their software on operating systems that don't 
> normally include OpenSSL. 
> If you develop open source software that uses OpenSSL, you may find it useful 
> to choose an other license than the GPL, or state explicitly that "This 
> program is released under the GPL with the additional exemption that 
> compiling, linking, and/or using OpenSSL is allowed." If you are using GPL 
> software developed by others, you may want to ask the copyright holder for 
> permission to use their software with OpenSSL.'
> We had a fairly long discussion and determined that Debian 'doesn't normally 
> include OpenSSL' so we are covered by the condition above.

Actually, I believe this is inaccurate.  It may have been accurate in
the past, but it definitely is not any longer.

The problems between OpenSSL and the GPL are twofold:

 - the old BSD advertising clause

 - the clause in the OpenSSL license which reads:

"The licence and distribution terms for any publically available version
or derivative of this code cannot be changed.  i.e. this code cannot
simply be copied and put under another distribution licence [including
the GNU Public Licence.]"

This clause appears to forbid binary linking under the GPL section 2 (as
invoked by section 3).

We do consider Debian to be bound by this; specifically, OpenSSL is now
out of non-us/main and in main, so it most definitely "normally includes

David, I'm glad you're willing to work with us.  If you have any other
questions, please let us know, and we'll help you as best we can.

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: