[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssl vs. GPL question

[Cc:ing the original poster, who posted to -mentors -- there's no reason to
expect that he's subscribed to -legal]

On Sun, Jun 05, 2005 at 11:04:13AM +0200, Måns Rullgård wrote:
> > On 6/4/05, Dafydd Harries <daf@muse.19inch.net> wrote:
> >> I have a package Alexandria, written in Ruby, which will depend on a
> >> new library in the next version. This library, ruby-zoom, is an LGPL Ruby
> >> binding of libyaz. libyaz links to OpenSSL and is, as far as I can tell,
> >> under a 2-clause BSD licence. Everything fine so far.

> >> But it seems to me that it will be impossible for Alexandria, which is
> >> under the GPL, to use ruby-zoom legally as, by doing so, it will be
> >> linking against OpenSSL, which is under a GPL-incompatible licence. Am I
> >> right in thinking so?

> > It is Debian's historical practice, and the FSF's stance, not to
> > permit this kind of dependency (direct or indirect).  I believe
> > strongly, and have adduced plenty of case law to demonstrate, that the
> > FSF's GPL FAQ is in error on this point.  I would not say, however,
> > that my opinion represents a debian-legal consensus.  See recent
> > debian-legal threads about Quagga, which is in a similar position.

> Does Alexandria make direct use of any OpenSSL functionality, or do
> only parts of libyaz not used by Alexandria use OpenSSL?  In the
> latter case, claiming derivedness from OpenSSL is outright bizarre, if
> it ever made any sense.

I have no reason to believe that the GPL's claim depends on the status of
derivative works; it is a condition of distributing binaries under the GPL
that the source to the work "and any components it contains" must be made
available under the terms of the GPL.  The fact that Alexandria does not
make *direct* use of OpenSSL is no defense, IMHO.

> Seriously, how many people actually care whether some GPL code links
> with OpenSSL?  My guess is two: RMS and EM.

I care; I don't like either the OpenSSL license or the OpenSSL code, and I
think it's in Debian's interest to distance itself from both to the greatest
extent possible.

> >> I notice that the Tellico package, which is GPL, already links against
> >> libyaz. Is this a licence violation?

> > No; but there again, it would probably be best to check with upstream
> > about whether they would mind adding an explicit "OpenSSL exemption". 
> > Wishlist bug?

> If the program makes explicit use of OpenSSL, I'd consider it fairly
> safe to assume an implicit permission to do so, even in the absence a
> written clause to that effect.

Also not a defense; it's entirely valid for someone to release code under
the GPL that they know cannot be bundled in binary form by OS distributors.
Your argument would also imply that Microsoft is allowed to bundle any GPLed
software they want to with Windows without opening their libs, merely
because it's been written to use Windows-specific APIs.  This is not a sane
assumption in the case of Microsoft, and it's not a sane assumption in our
case either.  If this *is* the author's intent, it should be trivial to
secure a license clarification.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: