2011/3/7 Ulrik Sverdrup <ulrik.sverd...@gmail.com>: > Can GPLv3+ applications written in Python exist in Debian main? The > applications in question do not use an openssl exception. > > Python uses OpenSSL so the moment the application starts, it is linking > against it too: > > $ objdump -p /usr/bin/python2.6 | grep NEEDED > NEEDED libpthread.so.0 > NEEDED libdl.so.2 > NEEDED libutil.so.1 > NEEDED libssl.so.0.9.8 > NEEDED libcrypto.so.0.9.8 > NEEDED libz.so.1 > NEEDED libm.so.6 > NEEDED libc.so.6 > > In my case I am talking about a GPLv3+ package that exists in Debian -- > kupfer > > Where do I draw the line for using/linking against ssl? > > a) Using Python2.6 > b) Unintentionally introducing _ssl or ssl into the imported modules > (import any of urllib, httplib, socket etc!) > c) Unintentionally using ssl (use urllib.urlopen on URL provided by > user -- if it's https we are using openssl) > d) Intentionally using ssl (import ssl and use httplib.HTTPSConnection > and verify certificates) > > Kupfer is today at (c) in the debian archive. It exists in development > version at (d). > > Clearly (d) has provoked thought but upon investigation I see that > "import ssl" only triggers "import _ssl" which in turn is an almost > no-op because _ssl is a built-in module in Python 2.6. > > Is this easier to answer than I think it is?
I don't think this is easy to resolve. It's not the developer's (mine) issue, it's not the users issue but it's the distributors issue. FYI, it was briefly discussed on Python-dev: http://mail.python.org/pipermail/python-dev/2011-March/109032.html Of course kupfer (example app) can work without ssl. But the thread finds another problem, the inavailablity of hashlib (thus md5 and sha1): http://mail.python.org/pipermail/python-dev/2011-March/109051.html > But you're also left with not being able to 'import hashlib'. While python > has fallback > code, those modules (_md5, _sha, _sha256, _sha512) aren't built if openssl > was found > at build time. So you can't just select at runtime that you didn't want to > use openssl. > Not being able to import hashlib unfortunately makes urllib2 (and a lot of > 3rd party > packages) fail to import. md5 and sha1 are used in many desktop programs, for example to locate file thumbnails. Ulrik -- To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTik=_+Q�dy93wuzpmsgudbdxo63dzq0xyuw...@mail.gmail.com
