[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPLed software and OpenSSL

On Wed, May 29, 2002 at 01:17:42PM -0400, Simon Law wrote:
> On 29 May 2002, Jeff Licquia wrote:

> > On Wed, 2002-05-29 at 08:11, Simon Law wrote:
> > > I decided to take a look at what Reverse Depends on OpenSSL:

> > > sfllaw@SAL9000:~/src/snort-1.8.6$ apt-cache showpkg libssl0.9.6 | grep
> > > '^  ' | wc -l
> > >     165

> > > 	These 165 packages include such GPLed software as: nessus,
> > > snort, wget-ssl, proftpd, kdelibs3-crypto, postgresql, gnustep-ssl,
> > > etc...  I'm very disturbed by this discovery, as we would be doing
> > > something illegal by distributing these packages in the upcoming
> > > release.  What should we do?

> > Out of curiosity, do you have non-us in your sources.list?  It would be
> > interesting to find out how much of that software is really in main.

> 	Yes, I do have non-us in my list.  Removing it narrow our group
> down to 16, none of which seem to be in violation.

> > One "solution" to the problem, assuming that most of the violations are
> > in non-us, would be to not generate ISOs with non-us on them.  This is
> > practical now that crypto-in-main is done.  At least in theory, then,
> > OpenSSL (which is in main) would be "normally distributed" with Debian,
> > and these components would not "accompan[y] the executable".  I don't
> > like it much, but it would at least have a veneer of respectability.

> 	Well, if the stuff is available off Debian servers, then we are
> basically distributing them.  As well, libssl0.9.6 isn't automatically
> installed with the system.  It sort of seems like you're using a
> quirk in the wording as opposed to real technical differences.

In the legal world, wording makes all the difference.  The GPL
specifically talks about code that's distributed *with* the GPLed
binary, not about code distributed *by the same people as* the GPLed
binary, and we have no reason to believe that this distinction was
unintentional.  Many vendors of proprietary Unices (e.g., Sun) seem to
already be counting on the fact that it is not.

Steve Langasek
postmodern programmer

Attachment: pgpruI81o3FbU.pgp
Description: PGP signature

Reply to: