[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

GPL applications using Python (OpenSSL issue?)

Can GPLv3+ applications written in Python exist in Debian main? The
applications in question do not use an openssl exception.

Python uses OpenSSL so the moment the application starts, it is linking
against it too:

$ objdump -p /usr/bin/python2.6 | grep NEEDED
  NEEDED               libpthread.so.0
  NEEDED               libdl.so.2
  NEEDED               libutil.so.1
  NEEDED               libssl.so.0.9.8
  NEEDED               libcrypto.so.0.9.8
  NEEDED               libz.so.1
  NEEDED               libm.so.6
  NEEDED               libc.so.6

In my case I am talking about a GPLv3+ package that exists in Debian --

Where do I draw the line for using/linking against ssl?

a) Using Python2.6
b) Unintentionally introducing _ssl or ssl into the imported modules
   (import any of urllib, httplib, socket etc!)
c) Unintentionally using ssl  (use urllib.urlopen on URL provided by
   user -- if it's https we are using openssl)
d) Intentionally using ssl (import ssl and use httplib.HTTPSConnection
   and verify certificates)

Kupfer is today at (c) in the debian archive. It exists in development
version at (d).

Clearly (d) has provoked thought but upon investigation I see that
"import ssl" only triggers "import _ssl" which in turn is an almost
no-op because _ssl is a built-in module in Python 2.6.

Is this easier to answer than I think it is?


Reply to: