[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Inquiry about GPL v3 code linked against OpenSSL



On Mon, 14 Sep 2015 20:20:21 +0200 Carles Fernandez wrote:

> Dear all,

Hello Carles,

> 
> recently, I uploaded a package for gnss-sdr (http://mentors.debian.net/package/gnss-sdr <http://mentors.debian.net/package/gnss-sdr>).

Thanks for contributing to Debian!

> The package was rejected due to a conflict between GPL v3 and the OpenSSL license. From what I've got to know, the upstream license must include an exception to the GPL allowing linkage against OpenSSL.
> 
> I’m also an upstream developer of such software, so I want to implement the required changes for package acceptance. These are the devised steps:
[...]
> We would like to ask if we are on the right path, and if there are any other requirements regarding this issue that we need to address from the upstream side.

The steps seem fine to me, but I am afraid they are not enough.
Any other library linked with gnss-sdr has to be compatible with
OpenSSL.
Hence, if gnss-sdr links with other GPL-licensed libraries lacking the
OpenSSL exception, you will have to persuade their copyright holders to
also add the OpenSSL exception.

If I understand correctly, there are at least libuhd and libgnuradio,
which are linked with gnss-sdr, are GPL-licensed without any OpenSSL
exception. I guess the FSF is unlikely to be persuaded to add an OpenSSL
linking exception...


An alternative approach may be: drop OpenSSL entirely, and link with
some GPL-compatible TLS/SSL implementation instead (such as libgnutls or
libnss or anything else fit for the purpose).


A third alternative strategy is: be patient, and wait for OpenSSL to
switch to a saner license. It seems that some progress on this front has
been (unexpectedly) made on August the 1st, 2015:
https://www.openssl.org/blog/blog/2015/08/01/cla/
The announced plan is to switch to the Apache License version 2.0,
which is GPLv3-compatible (although still GPLv2-incompatible...).
I am not aware of any more recent news on this, though.
BTW, I am not happy about the CLA part and I would be much happier, if
they decided to switch to a simpler and more all-compatible license
(such as the 3-clause BSD license, or the Expat license, or the zlib
license), but that's another story...


I hope this helps a little bit.
Please take into account that what I wrote is my own personal take on
the matter: I do *not* speak on behalf of the Debian Project.
And it's *not* legal advice (I am *not* a lawyer).

Bye.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Attachment: pgpIjVZU92kMm.pgp
Description: PGP signature


Reply to: