[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

GPL-licensed packages with depend-chain to OpenSSL

Hey
Please forgive a new subscriber if this subject already has been debated to death. In that case, just let me know and I'll quietly crawl away again. 

Ok, here's my explanation of the "problem":
There this package in recent Debian named 'curl' (using a MIT-like license). It is built with OpenSSL (you all know the OpenSSL license).
With curl there comes two (that we care about here) debian packages nowadays named libcurl2 and libcurl3 (libcurl3 being the new ABI and libcurl2 the older one). Both are linked against the OpenSSL libraries.
Many applications use libcurl. Including several applications/packages in Debian unstable that are GPL-licensed.
See where I'm drifting? Several packages in Debian unstable are licensed GPL (without explicit allowance for linking with OpenSSL) but links with libraries/components that link with OpenSSL... This creates binaries that are not allowed to distribute due to GPL license violations. AFAICT.
I'm not a Debian guru, but I scanned through the list of apps depending on curl to see what licenses they use, and I stopped when I had collected five examples: 

 grip, logjam, ardour, fbi, xine-ui

They are all GPLv2 licensees.

I can think of multiple approaches to fix this situation:

1. Make the authors add exceptions to the licences

or

2. Provide a curl package that is built without OpenSSL that those that don't
   do #1 can use.
Of course getting curl to link with an SSL library that isn't GPL incompatible would also be a fix for this particular case, but I consider that a pretty big job that won't happen this year (by me).
If this was just an issue with packages that depend on (lib)curl, it would've been a minor issue. But...
I counted to 206 packages in current Debian unstable that depends on libssl (grepping in the "Build-Depends" fields). I figure all those packages already have either a license that is OK, or an exception in their GPL license.
But, there are 610 packages that depend on one or more of those 206 packages. Since I'm checking build-depedencies I'm hoping I check the right stuff. I would be surprised if the five packages I found are the only ones affected by this. There are also a lot of packages that depend on these 610 packages...
(I'm sure someone with more Debian skill can do this checking better and more accurate - these numbers were obtained by some rather crude and error-prone scripts.) 

If this a huuuuge can of worms or am I just plain wrong?

--
         -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
  ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
Reply to: