[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PATCH] License exception for OpenSSL

Simon Law <sfllaw@engmail.uwaterloo.ca> wrote:
> On Fri, 24 May 2002, Renaud Deraison wrote:
> > On Fri, May 24, 2002 at 12:32:39PM +0200, Renaud Deraison wrote:
> > 
> > Actually, I cancelled this patch, it turns my code into a non-GPL one.
> > 
> > Here's my concern:
> > 
> > You patch says:
> > 
> >  * In addition, as a special exception, Renaud Deraison
> >  * gives permission to link the code of this program with
> >  * the OpenSSL library (or with modified versions of OpenSSL that use the
> >                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > 
> > 			   Here's the trick.
> > 
> > Suppose an evil company wants to make a commercial version of Nessus,
> > with add-ons they don't want to publish. They just have to take OpenSSL,
> > add the function they want, and modify Nessus code to just call these
> > new functions.  In the end, they're not bound to publish the source code
> > of their "modified version" of OpenSSL, and they'd have my agreement to
> > do so.
> 	Sadly, this is true.  This is the problem with linking with a
> non-copylefted libraries; which is why the FSF discourages doing so.
> However, if you don't allow linking with modified versions of OpenSSL,
> then you get left behind whenever the OpenSSL team releases bug-fixes.


Simon Law <sfllaw@engmail.uwaterloo.ca> wrote:
> 	If that doesn't work, could we say that the OpenSSL library can
> only be used for SSL support only?

I agree with this analysis.  However, I don't think that it is wise to
put in restrictions on how OpenSSL can change.  In particular, it may
impact the freeness of Nessus.  It seems that you are no longer free
to make derivative works of OpenSSL.  You can only make certain
modifications to OpenSSL.  Since Nessus depends on OpenSSL, that puts
Nessus in non-free.

To put it more simply, if Debian gives out a body of code, the DFSG
guarantees that you can make whatever modifications to the code and
distribute the result under the same conditions.  If the exception
specifies that OpenSSL can only be used for SSL support, then you are
no longer free to modify that body of code.

I only see four possibilities to resolve this:

  1) Put in the generic exception.  This may worry you because then
     arbitrary changes can be made to OpenSSL.  Previous projects that
     had the exception don't seem to have had this problem (e.g. Lyx),
     but I certainly sympathise with your concerns.  After all,
     enforcing sharing is probably one of the reasons you chose GPL in
     the first place.

  2) Put an exception in that allows combining Nessus with code that
     is released under the OpenSSL license.  Thus, if an evil company
     tried to make modifications and keep them secret, they couldn't
     combine it with Nessus.  This may still have some holes, though.
     I haven't thought it through.

  3) Move to GnuTLS.  Lots of work to move to a library with less
     functionality.  On the other hand, it will promote the use of
     GnuTLS and make it a good replacement for everyone.  Then, no one
     else will have to go through this agony.

  4) Do nothing.  Debian will then move your software out of main, but
     could put it in non-free as a source package.  It will be a
     little more difficult for people to get, but not impossible.  The
     people who wrote mplayer distributed it this way for a long time
     (I think they've gotten all of the non-free code out now).  They
     had other reasons to do this (they wanted everyone to get CPU
     specific optimizations), but it didn't destroy the project.

Walter Landry

To UNSUBSCRIBE, email to debian-legal-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: