[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linking libgit2 to OpenSSL

On Thu, Jul 28, 2016 at 02:38:46PM -0700, Josh Triplett wrote:
> On Thu, Jul 28, 2016 at 05:12:55PM -0400, Peter Colberg wrote:
> > Dear Debian legal team,
> > 
> > The next release of julia will use libgit2 (Cc'ed recent maintainers)
> > to retrieve package repositories via https://. This requires libgit2
> > to be linked directly to OpenSSL [1].
> > 
> > libgit2 is licensed [2] under GPLv2 with this exception:
> > 
> > ----------------------------------------------------------------------
> > 
> > 
> >  In addition to the permissions in the GNU General Public License,
> >  the authors give you unlimited permission to link the compiled
> >  version of this library into combinations with other programs,
> >  and to distribute those combinations without any restriction
> >  coming from the use of this file.  (The General Public License
> >  restrictions do apply in other respects; for example, they cover
> >  modification of the file, and distribution when not linked into
> >  a combined executable.)
> > 
> > ----------------------------------------------------------------------
> > 
> > Given the above, is libgit2 linked to OpenSSL distributable in Debian?
> I don't speak for libgit2 upstream, but yes, that license exception
> allows linking libgit2 with arbitrary non-GPL-compatible software,
> including OpenSSL.
> That said, libgit2-dev defaults to using libcurl for https URLs rather
> than using OpenSSL directly; see THREADING.md, section "General Case".
> In such a configuration, libgit2 doesn't link to any SSL library itself,
> and just uses whatever libcurl and libssh2 use.  In Debian, the libgit2
> package uses the variant of libcurl that uses GnuTLS (I made that change
> in my NMU), and the libssh2 library uses libgcrypt, so libgit2 has no
> direct *or* indirect dependencies on OpenSSL.  So, packages licensed
> under GPLv2 with no license exceptions can link to libgit2 in Debian.

Correction: apparently this no longer holds true for current upstream
versions of libgit2, even though the documentation still says it works
that way.  libgit2 doesn't seem to support doing TLS through libcurl;
upstream mentioned that they want to support custom user certificate
verification hooks, which libcurl doesn't support.

Unfortunately, libgit2 also doesn't seem to support any TLS library
other than OpenSSL.  That's a serious problem for GPLed software, and
Debian already has some GPLed software linking to libgit2 (which led to
the switch to link against the gnutls version of libcurl).

- Josh Triplett

Reply to: