[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] License exception for OpenSSL (was Re: Linking Nessus with OpenSSL)

On Fri, 2002-05-24 at 08:03, Simon Law wrote:
> 	I'm cc-ing to debian-legal about this, because I'm not sure if
> this argument would hold water: if a company made extensions to Nessus
> and bundled them into the OpenSSL library; then they wouldn't actually
> be derivative works of OpenSSL, but rather derivative works of Nessus.
> Could we change the exception to say "or with derivative version of
> OpenSSL"?

The problem is that you'd have to restrict what you could and couldn't
add to OpenSSL for this to address Renaud's problem.  This is only a
little better than forcing use of a particular version of OpenSSL; if
the OpenSSL people decide to add some functionality to it, you're back
in the same boat.

> 	If that doesn't work, could we say that the OpenSSL library can
> only be used for SSL support only?

For a given definition of "SSL support"? :-)

It seems to me that the best way forward is to restrict the exact
behavior we want to restrict.  So, for example, the OpenSSL exception
could be written to say something like "you may distribute code in
binary form linked against any OpenSSL library binary for which you
provide complete source" or whatever; sort of a "mini-GPL" for
third-party libraries.  You'd probably want to spell out exactly what
constitutes "providing source" for OpenSSL.

This still allows evil people to write code with arbitrary restrictions
and link it into OpenSSL, but since they have to distribute the source
to their modified OpenSSL library when linking it to Nessus,
reverse-engineering the changes to OpenSSL for inclusion into Nessus
proper should be a piece of cake.  The only case where this might be a
problem is if the OpenSSL people themselves go evil on us, in which case
we probably want to rethink the exception anyway and/or not link against
newer "evil" versions of OpenSSL.

Also, be sure to allow third-parties to drop this exception if they
want, to preserve compatibility with straight-GPL code.

> 2) Work on migrating from OpenSSL to GNU TLS.  This is the best long
>    term solution, and you can then remove the exception from your 
>    license.

This option, I would imagine, is really the best way to eliminate this
whole mess.

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: