On 2025-04-14 11:10, Russ Allbery wrote:
I do find it fairly hard to understand the logic behind a position that somehow our git-remote-https binary as distributed is a derived work of OpenSSL and thus violates the GPLv2 license based on the nature of this specific dependency chain, but then I was always dubious of the legal merits of FSF's extremely aggressive and maximalist position on the definition of derived works in the context of the GPLv2 license.
Me too.
I am not a lawyer, this is not legal advice, and it's worth what you paid for it.
Likewise.Separate from the above, I've been skeptical about using the system library exception for OpenSSL on Debian. However, I think that's moot now anyway.
Now that OpenSSL is licensed under Apache-2.0, everyone agrees that GPL-3.0 and Apache-2.0 are compatible. As a result, anything that is GPL-3.0-only or GPL-3.0-and-later or GPL-2.0-or-later (or GPL-1.0-or-later) is fine. That probably covers most things.
The remaining problem space is thus GPL-2.0-only, which is at issue here. The question is, are GPL-2.0-only and Apache-2.0 compatible? The FSF says no. As far as I can tell, the Apache Software Foundation doesn't necessarily agree with the FSF about this incompatibility, but respects their position on the issue. [1]
Here is a real legal analysis of the issue: https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1701&context=chtljMy understanding of (most of) the positions in that paper are: the No Further Restrictions clause is almost certainly a contractual covenant, not a copyright license condition. To prevail on a breach of contract claim, you would have to show harm and damages. On the patent termination clause, there is no way to create harm to the GPL-2.0-only licensor. The indemnification clause only does something if you choose to offer a warranty (which Debian is not choosing to do), and even if you did, you still can't create harm to the GPL-2.0-only licensor. Even if you had technical harm, the GPL-2.0-only licensor would have to show damages that are "more than nominal..., speculative harm, or the threat of future harm not yet realized".
As I have said before: I think that computer programmers have a tendency to treat licenses as if they are self-executing (and precise like software). From what I can tell, the legal system does not operate that way, and actual lawyers make distinctions based on harm/damages or lack thereof.
I think Debian should take the position that Apache-2.0 and GPL-2.0-only are compatible in practice.
[1] https://www.apache.org/licenses/GPL-compatibility.html -- Richard
OpenPGP_signature.asc
Description: OpenPGP digital signature
