hey debian perl folks-- I just filed an ITP to attempt to bring in the OpenSSL perl module, due to its support for a variety of ciphers and digests which are not otherwise easily available: http://bugs.debian.org/534338 In the course of doing the usual packaging/licensing review, i started thinking about (a) the relationships between the various packages that offer bindings on OpenSSL into perl, and (b) their special licensing issues. Package Relationships: ---------------------- Currently, we've got at least: libnet-ssleay-perl libcrypt-openssl-rsa-perl libcrypt-openssl-dsa-perl libcrypt-openssl-bignum-perl libcrypt-openssl-random-perl libcrypt-openssl-x509-perl (did i miss any?) They don't all share syntax or bindings in identical ways. For example, retrieving a prime that is part of a DSA key from Crypt::OpenSSL::DSA yields a binary string, while retrieving a prime component from Crypt::OpenSSL::RSA yields a Crypt::OpenSSL::Bignum object. We also have multiple ways of (for example) generating and representing an OpenSSL RSA key (Net::SSLeay::RSA_generate_key() and Crypt::OpenSSL::RSA->generate_key()). And if my attempt to package libopenssl-perl is successful, we'll have two independent bindings of OpenSSL's BigNum support (the admittedly poorly-documented OpenSSL::BN and Crypt::OpenSSL::Bignum). I know There's More Than One Way To Do It™, but it seems like this could cause some incompatibilities (e.g. is it OK to use an RSA key that i've generated and manipulated from Crypt::OpenSSL::RSA with a Net::SSLeay connection?) and potential frustrations for users and developers attempting to work with OpenSSL at various levels of detail within Perl. Has anyone attempted to push these interfaces toward a consolidated structure? Do we know anything about the willingness of their upstreams to interoperate? If this is a topic that has been addressed before, i'd be happy to read up on it if folks will send me pointers. Licensing --------- Debian sees OpenSSL licensing as explicitly incompatible with the GPL. /usr/share/doc/libnet-ssleay-perl/copyright invokes the OpenSSL licensing terms, but other OpenSSL bindings do not (they seem to usually invoke the GPL | Artistic perl-standard dual-licensing agreement). Since they all link to OpenSSL, presumably we consider them to be bound by the OpenSSL terms as well. Does this mean that the GPL | Artistic license for the modules actually collapses to the Artistic license from debian's point of view? If so, should this be clarified in the copyright files? Finally, i note that the OpenSSL license contains the following stanza: * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. It's not clear to me whether any of the Crypt::OpenSSL::* modules have actually received such permision from the OpenSSL project. I've written the upstream author of the OpenSSL:: module today to ask about that, but haven't heard back yet. I was curious what the maintainers of the other *::OpenSSL::* modules know about that situation for their respective modules. Thanks for any insight you might have, --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature