Re: GPL applications using Python (OpenSSL issue?)

To: debian-legal@lists.debian.org
Cc: debian-python@lists.debian.org
Subject: Re: GPL applications using Python (OpenSSL issue?)
From: Ulrik Sverdrup <ulrik.sverdrup@gmail.com>
Date: Tue, 15 Mar 2011 17:28:09 +0100
Message-id: <AANLkTik=_+Q=ECDy93WUZPMSGUDBdXo63dZQ0XYuw206@mail.gmail.com>
In-reply-to: <AANLkTik0qLvLs_1UgCwBZEU3SKMBfxZmeUf6Na8P14V+@mail.gmail.com>
References: <AANLkTik0qLvLs_1UgCwBZEU3SKMBfxZmeUf6Na8P14V+@mail.gmail.com>

2011/3/7 Ulrik Sverdrup <ulrik.sverdrup@gmail.com>:
> Can GPLv3+ applications written in Python exist in Debian main? The
> applications in question do not use an openssl exception.
>
> Python uses OpenSSL so the moment the application starts, it is linking
> against it too:
>
> $ objdump -p /usr/bin/python2.6 | grep NEEDED
>  NEEDED               libpthread.so.0
>  NEEDED               libdl.so.2
>  NEEDED               libutil.so.1
>  NEEDED               libssl.so.0.9.8
>  NEEDED               libcrypto.so.0.9.8
>  NEEDED               libz.so.1
>  NEEDED               libm.so.6
>  NEEDED               libc.so.6
>
> In my case I am talking about a GPLv3+ package that exists in Debian --
> kupfer
>
> Where do I draw the line for using/linking against ssl?
>
> a) Using Python2.6
> b) Unintentionally introducing _ssl or ssl into the imported modules
>   (import any of urllib, httplib, socket etc!)
> c) Unintentionally using ssl  (use urllib.urlopen on URL provided by
>   user -- if it's https we are using openssl)
> d) Intentionally using ssl (import ssl and use httplib.HTTPSConnection
>   and verify certificates)
>
> Kupfer is today at (c) in the debian archive. It exists in development
> version at (d).
>
> Clearly (d) has provoked thought but upon investigation I see that
> "import ssl" only triggers "import _ssl" which in turn is an almost
> no-op because _ssl is a built-in module in Python 2.6.
>
> Is this easier to answer than I think it is?

I don't think this is easy to resolve. It's not the developer's (mine)
issue, it's not the users issue but it's the distributors issue.


FYI, it was briefly discussed on Python-dev:

http://mail.python.org/pipermail/python-dev/2011-March/109032.html

Of course kupfer (example app) can work without ssl. But the thread
finds another problem, the inavailablity of hashlib (thus md5 and
sha1):

http://mail.python.org/pipermail/python-dev/2011-March/109051.html

> But you're also left with not being able to 'import hashlib'. While python has fallback
> code, those modules (_md5, _sha, _sha256, _sha512) aren't built if openssl was found
> at build time. So you can't just select at runtime that you didn't want to use openssl.
> Not being able to import hashlib unfortunately makes urllib2 (and a lot of 3rd party
> packages) fail to import.


md5 and sha1 are used in many desktop programs, for example to locate
file thumbnails.

Ulrik

Reply to:

References:
- GPL applications using Python (OpenSSL issue?)
  - From: Ulrik Sverdrup <ulrik.sverdrup@gmail.com>

Prev by Date: RFS: pybtex
Next by Date: Re: Switching to git
Previous by thread: Re: GPL applications using Python (OpenSSL issue?)
Next by thread: Packaging Django applications and projects
Index(es):
- Date
- Thread