[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linking libgit2 to OpenSSL

On Thu, Jul 28, 2016 at 05:12:55PM -0400, Peter Colberg wrote:
> Dear Debian legal team,
> The next release of julia will use libgit2 (Cc'ed recent maintainers)
> to retrieve package repositories via https://. This requires libgit2
> to be linked directly to OpenSSL [1].
> libgit2 is licensed [2] under GPLv2 with this exception:
> ----------------------------------------------------------------------
>  In addition to the permissions in the GNU General Public License,
>  the authors give you unlimited permission to link the compiled
>  version of this library into combinations with other programs,
>  and to distribute those combinations without any restriction
>  coming from the use of this file.  (The General Public License
>  restrictions do apply in other respects; for example, they cover
>  modification of the file, and distribution when not linked into
>  a combined executable.)
> ----------------------------------------------------------------------
> Given the above, is libgit2 linked to OpenSSL distributable in Debian?

I don't speak for libgit2 upstream, but yes, that license exception
allows linking libgit2 with arbitrary non-GPL-compatible software,
including OpenSSL.

That said, libgit2-dev defaults to using libcurl for https URLs rather
than using OpenSSL directly; see THREADING.md, section "General Case".
In such a configuration, libgit2 doesn't link to any SSL library itself,
and just uses whatever libcurl and libssh2 use.  In Debian, the libgit2
package uses the variant of libcurl that uses GnuTLS (I made that change
in my NMU), and the libssh2 library uses libgcrypt, so libgit2 has no
direct *or* indirect dependencies on OpenSSL.  So, packages licensed
under GPLv2 with no license exceptions can link to libgit2 in Debian.

- Josh Triplett

Reply to: