[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPL-licensed packages with depend-chain to OpenSSL

On Sep 9, 2004, at 23:36, Glenn Maynard wrote:

First off, I made up this example quickly to try and illustrate that looking at the end result is not enough; that we need to examine the steps that got us there.

Hopefully, -legal will consider and respond to the other point made in my previous post as well.

As an example, I think distributing a package which downloaded FOO
source code and compiles it --- on the user's machine --- with OpenSSL
might be fine, as we'd be distributing under GPL 2 (or even GPL 1), and
GPL 2 doesn't require source to all modules contained in the program
(only to the program and works based on it, which OpenSSL clearly

The GPL requires that all derived works be entirely available under the
terms of the GPL.

Yes, but OpenSSL wouldn't be a derived work of the GPL program (it can't be, because it was created before the GPL program).

 One piece of the resulting binary--OpenSSL--is not.
This seems to clearly violate the spirit of the GPL.

It might, but the GPL does have the normal components of an OS exception, for example. And only GPL (3), not (1) or (2) mentions all components of the resulting binary.

I have no idea how this
would fare in court,

It seems quite allowed by the plain language of the GPL.

Also, if we were to put a binary in a special section on separate servers, that'd be allowed under the normal components exception to (3).

 but I hope we agree that this would not be an
acceptable thing for Debian to do.  (I don't know if by "fine" you mean
"legally fine" or "actually fine".)

I agree it is not something Debian should be doing. For one thing, we should (when at all reasonable) respect upstream's wishes; for another, not being able to distribute binaries violates the DFSG. It's also probably more risky because even if the GPL allows it, a lot of people probably don't realize it.

Reply to: