On Wed, Aug 03, 2011 at 11:37:54AM -0300, Daniel Cid wrote: > So what exactly needs to be added to the license? I will send that to > the Trend team for addition...
I believe the following text should do it: "In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here." This should be added in the header of source files that link to OpenSSL. See attached example file (gpl-openssl-header.txt) for a header. In addition, to clarify the situation, the attached file LICENSE.OpenSSL could be added to the source code's alongside the LICENSE file For more information see: - http://people.gnome.org/~markmc/openssl-and-the-gpl.html - http://lists.debian.org/debian-legal/2004/05/msg00595.html > Also, OpenSSL doesn't need to be added (and everything should work > fine). In fact, that's how we support > systems without openssl-dev installed... We just link to it for small > performance gains (when generating the > sha1 hashes). In OSSEC you are actually embedding OpenSSL code directly, so the exception is required, regardless of whether (in the build) the code links to the OpenSSL's system libraries or to the OpenSSL code built from the OpenSSL code you include. More specifically, the files src/os_crypto/sha1/md32_common.h, src/os_crypto/sha1/sha.h, and src/os_crypto/sha1/sha_locl.h seem to come straight form the OpenSSL library. This being the case, the license exception needs to be added. If you want to prevent this exception then you could replace the OpenSSL implementation and use the GNU TLS library, which provides the same functions you use. This library is GPL-compatible. Historically, some projects have decided in the past to move from the OpenSSL library to the GNU TLS because of these license incompatibilities. Regards Javier
signature.asc
Description: Digital signature
