[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] License exception for OpenSSL (was Re: Linking Nessus with OpenSSL)

On Fri, 24 May 2002, Renaud Deraison wrote:
> On Fri, May 24, 2002 at 09:03:50AM -0400, Simon Law wrote:
> > if a company made extensions to Nessus
> > and bundled them into the OpenSSL library; then they wouldn't actually
> > be derivative works of OpenSSL, but rather derivative works of Nessus.
> The problem is that this is a _subjective_ issue. With bad faith, one
> can easily say that OpenSSL is about security, Nessus is about security,
> and the changes one made to OpenSSL about security, so it's not a
> derivative work of Nessus. Duh. And those who do not agree can go ask
> the court. 

	Alas, yes.  This could lead to a stupid court battle.

> [...]
> > 	If that doesn't work, could we say that the OpenSSL library can
> > only be used for SSL support only?
> That would sound better. It can even be extended to "cryptography".

	Let us examine this solution.  Could you consult your lawyer and
the FSF with regards to wording?

> > > So, for now, I prefer to block the distribution of binaries rather than 
> > > BSD-ing my source code.
> > 	Well, you're not blocking the distribution of binaries.  You are
> > only blocking the distribution of binaries that employ cryptography;
> > which seriously reduces the usefulness of Nessus. 
> Yes. But I'd rather not see Nessus disitributed at all rather than 
> being distributed badly working. I know I can't control that, but that'd
> just be my wish as the author.

	You could ask the community to stop distributing Nessus 1.2.x
until we fix the problem.  I'm almost certain that the Debian maintainer
will respect your decision; and I know I will.

> > 	As a compromise, I'd suggest that you do two things:
> > 
> > 1) Add the exception now; so that people can still link to OpenSSL, then
> >    modify and distribute it.  At least this way, you won't have silly
> >    distributions breaking your license.
> That's difficult, as if I remove it, the change won't be retro-active.
> The second at least _one_ person has a copy of Nessus with this
> exmeption, she can make a semi-proprietary version out of it. This is
> why the patch was removed directly from CVS, before anyone downloaded
> it (retrieving the revision of the file where the patch was applied will
> just produce a blank patch).

	Yes, I saw that.  You are correct that that semi-proprietary
version could be made out of that one version.  However, that version
wouldn't be able to track the "real" Nessus because you'd have the
exemption removed from the later version.  So, they'd have to maintain
their own branch.  I admit that this could still be very ugly.

> I might re-add the exception with the "SSL only" notice. However, I'll
> consult my lawyer before I do that (and double check the code too, to
> make sure OpenSSL is used _only_ for that).

	Please do!

> > 2) Work on migrating from OpenSSL to GNU TLS.  This is the best long
> >    term solution, and you can then remove the exception from your 
> >    license.
> I hope I'll manage to avoid to do that. This is purer, but sounds like
> an overkill (plus openssl is widely used and rock solid, I don't know
> the level of quality of gnutls).

	It is definitely purer, and you are guarenteed that the software
will always remain Free.  On the plus side, if more people use GNU TLS
because a important Free Software package like Nessus uses it; then more
people will develop it.  OpenSSL has an unfortunate stranglehold (dare I
say monopoly?) on Free SSL/TLS implementations.


To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: