Re: Bug#952399: OpenSSL linking without license exception

To: Marco d'Itri <md@Linux.IT>, 952399@bugs.debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: Bug#952399: OpenSSL linking without license exception
From: Bastian Germann <bastiangermann@fishpost.de>
Date: Wed, 26 Feb 2020 00:24:28 +0100
Message-id: <[🔎] 200b6643-5349-49d8-8137-77a981f3de3d@fishpost.de>
In-reply-to: <20200225223853.GA592210@bongo.bofh.it>
References: <01547fd2-f135-7aa4-af99-747bc8927458@fishpost.de> <20200225223853.GA592210@bongo.bofh.it>

Am 25.02.20 um 23:38 schrieb Marco d'Itri:
> Control: found 26+20191223-1
>
> On Feb 23, Bastian Germann <bastiangermann@fishpost.de> wrote:
>
>> All of the GPL-2+ licensed executables contained in the kmod
>> binary package link to libcrypto even though they do not have any
>> OpenSSL license exception. ftp-master considers this a serious
>> issue. So please remove this optional dependency or ask upstream
>> for a license exception.
> The large number of contributors to kmod obviously makes impossible
>  getting a license exception, also considering that only Debian
> cares about linking GPL'ed software with OpenSSL.
>
> Since only libkmod (which is LGPL'ed), and not the actual commands,
> is linked with OpenSSL, and the libkmod symbols do not change
> depending if OpenSSL support is enabled or not, and the patches
> which introduced OpenSSL support did not touch the commands, then I
> think that the commands are obviously not a derivative work of
> OpenSSL. You can also easily verify that the commands are not
> linked with OpenSSL by looking at the build logs of the package.

$ ldd /bin/*mod /sbin/*mod*

/bin/kmod:
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/bin/lsmod:
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/depmod
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/insmod:
	libcrypto.so.1.1 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1/sbin/lsmod:
	libcrypto.so.1.1 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1/sbin/modinfo:
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/modprobe:
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/rmmod:
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

buster's amd64 binaries are actually directly linked with libcrypto;
readelf says "(NEEDED)  Shared library: [libcrypto.so.1.1]"

Even if they were linked with libcrypto via libkmod it would not make
any difference.

> Also, the next major release of OpenSSL will be relicensed with the
>  ASLv2 anyway, which is compatible with the GPLv3.

That will help for bullseye+ but not for buster.

> For these reasons I have no interest and no plans to do anything
> about this, and I am quite annoyed that I had to spend my time
> researching these details and then explaining them to you.

You don't care and I am fine with that since I am not the maintainer
of the package. But I wanted to report the issue anyway since the
legal team's comments on that matter are unanimous.

Reply to:

Prev by Date: Re: CC-BY-SA-4.0
Next by Date: question about licensing for ruby-spdx-licenses
Previous by thread: Re: CC-BY-SA-4.0
Next by thread: question about licensing for ruby-spdx-licenses
Index(es):
- Date
- Thread