Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)

To: debian-legal@lists.debian.org
Subject: Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
From: Ben Finney <bignose@debian.org>
Date: Fri, 07 Dec 2018 17:04:22 +1100
Message-id: <[🔎] 86a7lh27q1.fsf@benfinney.id.au>
References: <[🔎] 86in090xr5.fsf@benfinney.id.au> <[🔎] 20181206182130.ulcs7tbxjokknnm4@breakpoint.cc>

Sebastian Andrzej Siewior <sebastian@breakpoint.cc> writes:

> Yes and my understanding is that every GPLv2 software, that links
> against openssl, needs such an addon.

The alternative being that the resulting work is not legally
redistributable (because the terms of both GPLv2 and the OpenSSL license
cannot be simultaneously satisfied).

So yes, the only way such a work can be distributed conforming to both
those sets of conditions if the grant of license gives *more*
permissions (such as one you state), at which it's not merely GPL any
more.

> The wording (of the addon) was drafted on debian-legal a few years
> back.

Can you give citations to what you're referring to? there have been many
such discussions so it would help if we're both talking about the same
thing.

> So this is true for series 1.1.1 and earlier. The master branch will be
> released as 3.0 and some point. So we have some time to clarify this
> :)

Ah, so this is not a change that has happened yet. Good, thank you for
bringing it to our attention so we can discuss it :-)

> Please see 
>   https://www.openssl.org/blog/blog/2018/11/28/version/

The part of that article salient for this discussion seems to be:

    OpenSSL version 3.0.0 will be the first version that we release
    under the Apache License 2.0. We will not be applying the Apache
    License to earlier releases of OpenSSL.

That doesn't specify the grant of license so it's unclear what the total
set of conditions will be.

>   https://github.com/openssl/openssl/blob/master/LICENSE

That is a nearly-verbatim copy of the Apache License 2.0 with no legally
substantive changes (only the URL in the header changed to an HTTPS).

Merely dropping a copy of the license document doesn't tell use exactly
what is the grant of license, as many works (including OpenSSL itself,
and as you point out a lot of works that link to OpenSSL) have a complex
grant of license that incorporates some combination of conditions. It is
not enough to assume that a license document implies the entire grant of
license.

So we will need to see what exact text is the grant of license (the text
saying something like "This is OpenSSL, Copyright © 2018 Foo Bar. You
are hereby granted freedom to do X, Y, Z under these explicit specific
conditions").

Is the grant of license somewhere in the Git repository to be examined?

-- 
 \               “… correct code is great, code that crashes could use |
  `\           improvement, but incorrect code that doesn’t crash is a |
_o__)                    horrible nightmare.” —Chris Smith, 2008-08-22 |
Ben Finney

Reply to:

Follow-Ups:
- Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
- Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
  - From: Francesco Poli <invernomuto@paranoici.org>

References:
- Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
  - From: Ben Finney <bignose@debian.org>
- Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: build.gradle// Initialize Firebase var config = { apiKey: "AIzaSyDPYwvXQQTsEaDahUezyw_FtYUX55XgmJs", authDomain: "shawn-9470d.firebaseapp.com", databaseURL: "https://shawn-9470d.firebaseio.com", projectId: "shawn-9470d", storageBucket: "shawn-9470d.appspot.com", messagingSenderId: "1062706269963" }; firebase.initializeApp(config);
Next by Date: Re: Hacking License
Previous by thread: Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
Next by thread: Re: Compatibility of GPLv2 and Apache v2 (OpenSSL again)
Index(es):
- Date
- Thread