[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bacula and OpenSSL

On Thu, Jul 19, 2007 at 04:22:06PM +0200, Shane M. Coughlan wrote:
> ===
> We do not believe that OpenSSL qualifies as a System Library in Debian.
> The System Library definition is meant to be read narrowly, including
> only code that accompanies genuinely fundamental components of the
> system.

OpenSSL certainly "accompanies" genuinely fundamental components of
the system; it's status in Debian is that it's as "fundamental" as apt,
and significantly more fundamental than any windowing system, which is
explicitly listed as an example of a "fundamental component" in the GPLv3.

> I don't see anything to suggest that that's the case for
> OpenSSL in Debian: the package only has important priority (as opposed
> to glibc's required),

The definition of the "required" priority is the minimal set of packages
that are required for a system to be administered using dpkg. That
excludes, for instance, gcc, not to mention window managers and even
all our kernel packages.

> there are only about 350 packages depending on it
> (as opposed to glibc's 8500), 

There are apparently 360 packages just on my system which will be removed
if I remove openssl, and I only have 1883 installed. On the same system
(which is my day to day desktop), removing libx11-6 takes down 610
packages. On a headless server, removing libx11-6 takes down 7 packages,
while libssl0.9.8 takes 82 packages with it.

> and it isn't installed on a base system.

The base system is precisely those packages at priority required or
important, and includes openssl.

> To put it plainly, if OpenSSL actually were a System Library, I would
> expect it to look more like one.

From what I can see of the GPLv3 text, OpenSSL plainly is a System Library
for Debian -- SSL support is a "major essential component of the specific
operating system", and one that we include on all systems as soon as
they're installed before giving users the option of what to install,
whether they're building a server, desktop system, embedded target or
anything else. It's integrated into the operating system to the level at
which basic tools such as curl and wget are configured to rely on it and
through those dependencies such as debootstrap (used to install the Debian
base system), openoffice.org, gimp, and bzflag; likewise python directly
depends on ssl, and hence so do all the python scripts in the archive.

It's not "essential" by the very limited meaning we use for the
"Essential: yes" field in the Packages files, which is to say, "if you
remove this package, you will not be able to manage your system using
dpkg" (and indeed that field is used for only a subset of the Priority:
required packages, and happens to not be used for glibc), but it's
certainly essential by most common usages of the term, and some more
general usage of the term is certainly implied by the GPLv3's reference to
"window managers" as essential components.


Attachment: signature.asc
Description: Digital signature

Reply to: