"Ivan Ristic" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Hi,
I am the original author of ModSecurity (http://www.modsecurity.org),
an open source web application firewall, which is licensed under GPLv2.
ModSecurity was acquired by Breach Security in late 2006. I joined
the company at the same time, continuing to manage the project, which
remained open source.
ModSecurity used to be distributed in Debian but this is no longer
the case, due to the incompatibility between the GPLv2 and the Apache
Software License. I would like to explore a licensing exception as
the fastest way of resolving this problem.
The problem is that an Apache installation typically consists of many
modules, each with a potentially different licence. I am only aware of the
incompatibility between the GPLv2 and the ASL, although other
issues may exist. Although GPLv2 is our licence of choice, we do not
have an intention to force this licence upon other users and developers.
I think that it's possible to design a licensing exception that would
essentially say the following:
- For non-ModSecurity-related modules, allow any open source licence.
We would either call for any OSI-certified licence, or explicitly
list every licence allowed.
- Changes to ModSecurity, or modules that work with ModSecurity to
change or extend its functionality, would remain covered under GPLv2.
Indeed that should be possible. Of course, all contributions to the code
would require relicencing by the contributer unless a copyright assignment
system was in place. But if you can get all of the work relienced, such an
exception could correct any issues.
However, how important is it that all used modules be open source? I'm sure
it is important that anything directly extending the ModSecurity module ti
be GPL'ed, but that is the easier part of the exception to draft. The other
section is admittedly much more difficult to do well. If it is not really
that important that the other modules be open source then omitting that
exception entirely would simplify things entirely. If dropping the first
requirement, my rough draft would be somthing like the following:
-----BEGIN DRAFT-----
In addition, as a special exception, the copyright holders give permission
to link the code of this program with the Apache Web server (or with
modified versions that use the same license as Apache Web Server), and
distribute linked combinations including the two. You must obey the GNU
General Public License in all respects for all of the code used other than
Apache. If you modify this file, you may extend this exception to your
version of the file, but you are not obligated to do so. If you do not wish
to do so, delete this exception statement from your version.
In addition, as a special exception, the copyright holders give permission
to link the code of this program with other Apache modules that are not
designed to change or exend the funcionality of ModSecurity, regardless of
the license terms of those modules, and distribute the resulting
combination. You must obey the GNU General Public License in all respects
for all of the Program code and other code used in conjunction with the
Program except the Non-GPL Code covered by this or the previous exception.
If you modify this file, you may extend this exception to your version of
the file, but you are not obligated to do so. If you do not wish to do so,
delete this exception statement from your version.
---------
Those exceptions are based on the standard exception template provided by
the GNU foundation, along with a few terms from the classpath exception and
Red Hat GPL exception. There may be a few small tweaks that should be made,
but this should be a solid foundation.
Assuming the only problem with distributing your module was the GPLv2-ASL
licence incompatibility, that exception should allow Debian to distribute
your module.
PLEASE NOTE: Am am not a laywer, so this was not legal advice. The draft
exception was constructed as an informational tool, and should be reviewed
by an actual lawyer and changed as needed.
I am not a Debian Developer, and this message is in no way an official
statment of the Debian Project.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
