[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] License exception for OpenSSL (was Re: Linking Nessus with OpenSSL)

On Fri, 24 May 2002, Renaud Deraison wrote:

> On Fri, May 24, 2002 at 12:32:39PM +0200, Renaud Deraison wrote:
> > On Wed, May 22, 2002 at 02:10:45AM -0400, Simon Law wrote:
> > > On Fri, 17 May 2002, Renaud Deraison wrote:
> > > 2002-05-22  Simon Law  <sfllaw@engmail.uwaterloo.ca>
> > > 
> > > 	* Added the proper licensing exception for linking with OpenSSL
> > > 	for nessus and nessusd.
> > > 
> > 
> > Applied, so it will be published in Nessus 1.2.1.
> Actually, I cancelled this patch, it turns my code into a non-GPL one.
> Here's my concern:
> You patch says:
>  * In addition, as a special exception, Renaud Deraison
>  * gives permission to link the code of this program with
>  * the OpenSSL library (or with modified versions of OpenSSL that use the
>                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 			   Here's the trick.
> Suppose an evil company wants to make a commercial version of Nessus,
> with add-ons they don't want to publish. They just have to take OpenSSL,
> add the function they want, and modify Nessus code to just call these
> new functions.  In the end, they're not bound to publish the source code
> of their "modified version" of OpenSSL, and they'd have my agreement to
> do so.

	Sadly, this is true.  This is the problem with linking with a
non-copylefted libraries; which is why the FSF discourages doing so.
However, if you don't allow linking with modified versions of OpenSSL,
then you get left behind whenever the OpenSSL team releases bug-fixes.

	I'm cc-ing to debian-legal about this, because I'm not sure if
this argument would hold water: if a company made extensions to Nessus
and bundled them into the OpenSSL library; then they wouldn't actually
be derivative works of OpenSSL, but rather derivative works of Nessus.
Could we change the exception to say "or with derivative version of

	If that doesn't work, could we say that the OpenSSL library can
only be used for SSL support only?

> So, for now, I prefer to block the distribution of binaries rather than 
> BSD-ing my source code.

	Well, you're not blocking the distribution of binaries.  You are
only blocking the distribution of binaries that employ cryptography;
which seriously reduces the usefulness of Nessus. 

	As a compromise, I'd suggest that you do two things:

1) Add the exception now; so that people can still link to OpenSSL, then
   modify and distribute it.  At least this way, you won't have silly
   distributions breaking your license.

2) Work on migrating from OpenSSL to GNU TLS.  This is the best long
   term solution, and you can then remove the exception from your 


To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: