[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)

On Thu, 2002-05-23 at 21:47, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> Thanks to everyone for the information.  I will probably need to consult
> with our attorney and several others to make sure that whatever I use (even
> if it's the FSF template) properly addresses my concerns and doesn't create
> any undesired loopholes.  In the meantime, informally I don't object if you
> continue to link with libcrypto to satisfy libsnmp's dependency on
> libcrypto, but if that's not sufficient then you can always temporarily
> disable hpoj's SNMP support until I can supply an appropriate formal license
> exception statement.  (I don't suppose there's a way to link with libsnmp
> but not libcrypto?)

Hmm... Debian is releasing imminently.  Normally I would think we
wouldn't need to act until things are all cleared up, but the status quo
is about to be immortalized.  I don't know if that changes things.

My gut reaction is to trust that you (David) are a reasonable person,
seeing as how you've been forthright so far, and will intentionally
refuse to take advantage of our situation.  Should you suddenly
metamorphize into an ogre, however, we do have the legal recourse of
quickly doing a point release of woody without linking to libsnmp; since
we brought up the problem, it's hard to imagine a court accusing Debian
of acting in bad faith, so it would seem difficult to fall under any
real liability.

> Jeff Licquia wrote:
> > We do consider Debian to be bound by this; specifically, 
> > OpenSSL is now
> > out of non-us/main and in main, so it most definitely 
> > "normally includes OpenSSL".
> But if Debian "most definitely 'normally includes OpenSSL'", then doesn't
> that make this issue irrelevant?  Or do OpenSSL's advertising and anti-GPL
> clauses override the normal-inclusion condition?

The problematic section of the GPL reads as follows (section 3):

"However, as a special exception, the source code distributed need not
include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of
the operating system on which the executable runs, unless that component
itself accompanies the executable."

So, we're fine because OpenSSL is normally distributed with Debian,
except that hpoj is also normally distributed with Debian, which means
that "that component itself [OpenSSL] accompanies the executable
[hpoj]", which means that we're not fine.

It would seem that you are the victim of success. :-)

> Mark Horn wrote:
> > Correct me if I'm wrong, but the GPL says that no one can *release*
> > a copy of hpoj linked to OpenSSL.  They can certainly use hpoj linked
> > to OpenSSL.  Of course, that doesn't help you as the guy who is trying
> > to package up hpoj for debian.  But if I want to link hpoj to OpenSSL,
> > there's nothing in my reading of the GPL that prevents me.  I simply
> > can't release any such code to anyone else.
> You are correct.  The GPL doesn't restrict your own use of software; it
> merely sets the conditions for copying (distributing) software (with or
> without modifications), which by default isn't allowed under copyright law.
> The question of whether linking with OpenSSL requires special permission
> from me only comes into play if you distribute binaries rather than have the
> recipient compile the source code for him/herself and generate the
> questioned linkage.

This is the way Debian sees it as well.  We do distribute binaries, so
we have lots of restrictions placed on us that aren't there for users.

With less cooperative upstream authors, we actually distribute "binary"
packages which do nothing but install the source code and provide easy
hooks for the user to build and install the actual binaries.  See, for
example, "qmail-src" in Debian's non-free archive.

I don't believe we've ever needed to do this with GPLed code, however;
most licensing problems there seem to be easily resolvable.

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: