[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] License exception for OpenSSL (was Re: Linking Nessus with OpenSSL)

On Fri, May 24, 2002 at 09:03:50AM -0400, Simon Law wrote:

> if a company made extensions to Nessus
> and bundled them into the OpenSSL library; then they wouldn't actually
> be derivative works of OpenSSL, but rather derivative works of Nessus.

The problem is that this is a _subjective_ issue. With bad faith, one
can easily say that OpenSSL is about security, Nessus is about security,
and the changes one made to OpenSSL about security, so it's not a
derivative work of Nessus. Duh. And those who do not agree can go ask
the court. 

> 	If that doesn't work, could we say that the OpenSSL library can
> only be used for SSL support only?

That would sound better. It can even be extended to "cryptography".

> > So, for now, I prefer to block the distribution of binaries rather than 
> > BSD-ing my source code.
> 	Well, you're not blocking the distribution of binaries.  You are
> only blocking the distribution of binaries that employ cryptography;
> which seriously reduces the usefulness of Nessus. 

Yes. But I'd rather not see Nessus disitributed at all rather than 
being distributed badly working. I know I can't control that, but that'd
just be my wish as the author.

> 	As a compromise, I'd suggest that you do two things:
> 1) Add the exception now; so that people can still link to OpenSSL, then
>    modify and distribute it.  At least this way, you won't have silly
>    distributions breaking your license.

That's difficult, as if I remove it, the change won't be retro-active.
The second at least _one_ person has a copy of Nessus with this
exception, she can make a semi-proprietary version out of it. This is
why the patch was removed directly from CVS, before anyone downloaded
it (retrieving the revision of the file where the patch was applied will
just produce a blank patch).

I might re-add the exception with the "SSL only" notice. However, I'll
consult my lawyer before I do that (and double check the code too, to
make sure OpenSSL is used _only_ for that).

> 2) Work on migrating from OpenSSL to GNU TLS.  This is the best long
>    term solution, and you can then remove the exception from your 
>    license.

I hope I'll manage to avoid to do that. This is purer, but sounds like
an overkill (plus openssl is widely used and rock solid, I don't know
the level of quality of gnutls).

				  -- Renaud

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: