"Ivan Ristic" <ivanr@webkreator.com> wrote in message [🔎] 47949F4B.3020807@webkreator.com">news:[🔎] 47949F4B.3020807@webkreator.com...
Hi, I am the original author of ModSecurity (http://www.modsecurity.org), an open source web application firewall, which is licensed under GPLv2. ModSecurity was acquired by Breach Security in late 2006. I joined the company at the same time, continuing to manage the project, which remained open source. ModSecurity used to be distributed in Debian but this is no longer the case, due to the incompatibility between the GPLv2 and the Apache Software License. I would like to explore a licensing exception as the fastest way of resolving this problem. The problem is that an Apache installation typically consists of manymodules, each with a potentially different licence. I am only aware of the incompatibility between the GPLv2 and the ASL, although otherissues may exist. Although GPLv2 is our licence of choice, we do not have an intention to force this licence upon other users and developers. I think that it's possible to design a licensing exception that would essentially say the following: - For non-ModSecurity-related modules, allow any open source licence. We would either call for any OSI-certified licence, or explicitly list every licence allowed. - Changes to ModSecurity, or modules that work with ModSecurity to change or extend its functionality, would remain covered under GPLv2.
Indeed that should be possible. Of course, all contributions to the code would require relicencing by the contributer unless a copyright assignment system was in place. But if you can get all of the work relienced, such an exception could correct any issues.
However, how important is it that all used modules be open source? I'm sure it is important that anything directly extending the ModSecurity module ti be GPL'ed, but that is the easier part of the exception to draft. The other section is admittedly much more difficult to do well. If it is not really that important that the other modules be open source then omitting that exception entirely would simplify things entirely. If dropping the first requirement, my rough draft would be somthing like the following:
-----BEGIN DRAFT-----In addition, as a special exception, the copyright holders give permission to link the code of this program with the Apache Web server (or with modified versions that use the same license as Apache Web Server), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than Apache. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.
In addition, as a special exception, the copyright holders give permission to link the code of this program with other Apache modules that are not designed to change or exend the funcionality of ModSecurity, regardless of the license terms of those modules, and distribute the resulting combination. You must obey the GNU General Public License in all respects for all of the Program code and other code used in conjunction with the Program except the Non-GPL Code covered by this or the previous exception. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.
---------Those exceptions are based on the standard exception template provided by the GNU foundation, along with a few terms from the classpath exception and Red Hat GPL exception. There may be a few small tweaks that should be made, but this should be a solid foundation.
Assuming the only problem with distributing your module was the GPLv2-ASL licence incompatibility, that exception should allow Debian to distribute your module.
PLEASE NOTE: Am am not a laywer, so this was not legal advice. The draft exception was constructed as an informational tool, and should be reviewed by an actual lawyer and changed as needed.
I am not a Debian Developer, and this message is in no way an official statment of the Debian Project.