Re: openssl vs. GPL question

To: Debian Mentors <debian-mentors@lists.debian.org>, Debian-legal <debian-legal@lists.debian.org>
Subject: Re: openssl vs. GPL question
From: "Michael K. Edwards" <m.k.edwards@gmail.com>
Date: Sat, 4 Jun 2005 23:27:48 -0700
Message-id: <[🔎] 625a0e65050604232742104cc2@mail.gmail.com>
Reply-to: M.K.Edwards@gmail.com
In-reply-to: <20050604184850.GT10552@muse.19inch.net>
References: <20050604184850.GT10552@muse.19inch.net>

(copied to debian-legal, where the discussion belongs; next person
please cut debian-mentors)

On 6/4/05, Dafydd Harries <daf@muse.19inch.net> wrote:
> I have a package Alexandria, written in Ruby, which will depend on a
> new library in the next version. This library, ruby-zoom, is an LGPL Ruby
> binding of libyaz. libyaz links to OpenSSL and is, as far as I can tell,
> under a 2-clause BSD licence. Everything fine so far.
> 
> But it seems to me that it will be impossible for Alexandria, which is
> under the GPL, to use ruby-zoom legally as, by doing so, it will be
> linking against OpenSSL, which is under a GPL-incompatible licence. Am I
> right in thinking so?

It is Debian's historical practice, and the FSF's stance, not to
permit this kind of dependency (direct or indirect).  I believe
strongly, and have adduced plenty of case law to demonstrate, that the
FSF's GPL FAQ is in error on this point.  I would not say, however,
that my opinion represents a debian-legal consensus.  See recent
debian-legal threads about Quagga, which is in a similar position.

> My understanding of this issue is based on reading this thread:
> 
>         http://lists.debian.org/debian-legal/2002/10/msg00113.html
> 
> If there is indeed a licence problem here, I can see two main solutions:
> 
>  - Try to get libyaz in Debian to link against GnuTLS instead of
>    OpenSSL.
> 
>  - Get the maintainer of Alexandria to make an exception for linking
>    against OpenSSL.

The latter is probably a better choice (at least in the short term),
since the OpenSSL shim for GNU TLS was added to the GPL (not LGPL)
libgnutls-extra.  (It's possible that it has since been moved into the
LGPL portion, but I don't think so.)  While I don't believe in the
FSF's theories about linking causing "GPL violation" (especially in
the indirect scenario), it's the Debian way to request a clarification
from upstream.

> I notice that the Tellico package, which is GPL, already links against
> libyaz. Is this a licence violation?

No; but there again, it would probably be best to check with upstream
about whether they would mind adding an explicit "OpenSSL exemption". 
Wishlist bug?

Cheers,
- Michael
(IANAL, IANADD)

Reply to:

Follow-Ups:
- Re: openssl vs. GPL question
  - From: Arnoud Engelfriet <galactus@stack.nl>
- Re: openssl vs. GPL question
  - From: Måns Rullgård <mru@inprovide.com>
- Re: Re: openssl vs. GPL question
  - From: Regis Boudin <regis@boudin.name>

Prev by Date: medicine
Next by Date: Re: openssl vs. GPL question
Previous by thread: medicine
Next by thread: Re: openssl vs. GPL question
Index(es):
- Date
- Thread