[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Netatalk and OpenSSL licencing


I'm asking for advice.

The best explanation can be found at this feature request on SourceForge:

  This is licence related. I'm using Debian, and prefer to grab
  netatalk using the appropriate package [1]. However, this
  package is not allowed to link to OpenSSL (and thus DHX
  passwords are disabled) [2]. The reason comes from debian-
  legal (don't ask *me*, I'm an ignorant user): "GPL software
  linked against OpenSSL is not allowed in the main archive
  without either a license exemption from the upstream author
  of the GPL package, a change in the license of OpenSSL
  itself, or a clear legal precedent sustaining the OpenSSL
  FAQ's opinion on this point." [3]

  In short, the OpenSSL and GPL are incompatible (as was
  noted on this list in 2001), so you may link it yourself, but
  may not distribute it because the GPL forbids it, despite that
  both licences are considered "free". (Well, at least that's
  what people on debian-legal claim).

  Thankfully, both the OpenSSL FAQ [4] and the GPL FAQ [5]
  give a solution: Add an exception to the licence, stating that
  it really is OK with you to compile the whole bunch, link with
  OpenSSL and put it in a package.

  So, my question. Could you pretty please add the following
  statement in one of your legal-blahblah files for both the 1.6
  and 2.0 version? I just copied it from gnu.org [5]:

  "In addition, as a special exception, the netatalk developers
  give permission to link the code of this program with the
  OpenSSL library (or with modified versions of OpenSSL that
  use the same license as OpenSSL), and distribute linked
  combinations including the two. You must obey the GNU
  General Public License in all respects for all of the code used
  other than OpenSSL. If you modify this file, you may extend
  this exception to your version of the file, but you are not
  obligated to do so. If you do not wish to do so, delete this
  exception statement from your version."

  [1] http://packages.debian.org/netatalk
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=191790
  [3] http://lists.debian.org/debian-legal/2002/debian-legal
  [4] http://www.openssl.org/support/faq.html#LEGAL2 (last
  paragraph of answer)
  [5] http://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs

  Thanks a LOT!
  And sorry to have distracted you from serious coding with
  this silly feature!

I have since bother the maintainer of netatalk debina package and the
upstream maintainers. The latter are perfectly happy to make the exception
to the licence, but can not:

  We have discussed this internally, and I fear it is not
  possible to make that change.

  Netatalk (at least 2.0) includes some GPL'ed code from other
  projects, mostly libiconv and Samba. Distributing Netatalk
  under a different license than the original GPL is AFAIKT
  (IANAL) therefore impossible without getting the permissions
  from the original authors and possibly all other contributors.

So: my questions:

1. Has anything changed in the statement made to debian-legal in 2002?
2. Is the netatalk upstream author correct that he cannot reasonably make
   the exception (without asking all possible contributors)
3. Is there any way of getting netatalk with encrypted passwords in sarge?
   I can think of source-only distributions, or asking to move it out of
   main. However, I do not fully understand the implications of this. So:
   what would be a possible next move? Maybe just put it in Sarge, and ask
   FSF to sue you to create legal precedent? :-)

Kind regards,
Freek Dijkstra

[rant mode on]
PS: to play the devils advocate on this list: is this !@#&$(%$ really
necessary for me as an end-user to get open-source software to work? I'd
rather had spend all this time doing something *useful*. All lawyers on this
list: please find an other job. ;-)
[rant mode off]

Reply to: