Re: Bacula and OpenSSL
Thomas Dickey <[EMAIL PROTECTED]> writes: > Simon Josefsson <[EMAIL PROTECTED]> wrote: >> Kern Sibbald <[EMAIL PROTECTED]> writes: > GPL + OpenSSL exception would be enough to be sure. You may have more luck convincing copyright owners to grant an OpenSSL exception than to accept an entirely new license. >>> >>> I am told that FSF never grants exceptions so this is a hopeless path that >>> I >>> have already explored. > >> That is incorrect. The FSF has granted OpenSSL license exceptions to >> some software that links to OpenSSL. For example, GNU wget. > > That's not an example (unless you're intending to show a case where > FSF allows itself to do things that it forbids others ;-) I don't follow, what do you mean? GNU wget is distributed under the GPL with a license exception to permit linking with OpenSSL. As far as I know, the FSF doesn't forbid anyone to use GPL with an OpenSSL exception. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bacula and OpenSSL
Hi Shane, On Thu, Jul 19, 2007 at 04:22:06PM +0200, Shane M. Coughlan wrote: > Steve Langasek wrote: > > I agree that the GPLv3 is not "compatible" with the OpenSSL license, in the > > sense that code licensed under the OpenSSL license cannot be included in a > > GPLv3 work. However, the GPLv3 does include a broader (if no more easily > > understood) system exception clause, which seems to allow distributing GPLv3 > > binaries that are /dynamically linked/ against OpenSSL. Is this not the > > position of FSF/FSF Europe? > I discussed this issue with Brett Smith of FSF, and as a result of this > he wrote the following brief summary: > === > We do not believe that OpenSSL qualifies as a System Library in Debian. > The System Library definition is meant to be read narrowly, including > only code that accompanies genuinely fundamental components of the > system. I don't see anything to suggest that that's the case for > OpenSSL in Debian: the package only has important priority (as opposed > to glibc's required), there are only about 350 packages depending on it > (as opposed to glibc's 8500), and it isn't installed on a base system. > To put it plainly, if OpenSSL actually were a System Library, I would > expect it to look more like one. > - -- Brett Smith Licensing Compliance Engineer, Free Software Foundation > === IMHO that would be a rather unfortunate position for the FSF to take, as it would mean the changes to the system exception clause are *only* of benefit to distributors of proprietary operating systems, while GNU/Linux distributors are left with the same license compatibility problems as ever. But as AJ noted, the above analysis seems to get some facts wrong. In addition to the fact that OpenSSL is part of the base system, the count of reverse-dependencies seems to be off somewhat. There are 461 packages in etch that depend on libssl0.9.8, plus another 11 depending on the libssl0.9.7 that we aren't quite rid of. Of course that's nothing close to glibc's 8500, but if we were to look at some of the individual libraries within the libc6 package, like librt, libnsl, libm, or libdl, I would expect that openssl's usage within Debian is at least within an order of magnitude of some of these. Surely if libraries such as these qualify as System Libraries (and I should hope they do!), shouldn't libssl qualify too? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bacula and OpenSSL
Hello Shane, On Thursday 19 July 2007 16:22, Shane M. Coughlan wrote: > Dear Steve > > Steve Langasek wrote: > > I agree that the GPLv3 is not "compatible" with the OpenSSL license, in the > > sense that code licensed under the OpenSSL license cannot be included in a > > GPLv3 work. However, the GPLv3 does include a broader (if no more easily > > understood) system exception clause, which seems to allow distributing GPLv3 > > binaries that are /dynamically linked/ against OpenSSL. Is this not the > > position of FSF/FSF Europe? > > I discussed this issue with Brett Smith of FSF, and as a result of this > he wrote the following brief summary: > > === > > We do not believe that OpenSSL qualifies as a System Library in Debian. > The System Library definition is meant to be read narrowly, including > only code that accompanies genuinely fundamental components of the > system. I don't see anything to suggest that that's the case for > OpenSSL in Debian: the package only has important priority (as opposed > to glibc's required), there are only about 350 packages depending on it > (as opposed to glibc's 8500), and it isn't installed on a base system. > To put it plainly, if OpenSSL actually were a System Library, I would > expect it to look more like one. Thanks for following up on this. However, I am not sure that Brett answered the "technical" point concerning the GPLv3 that was brought up by Steve. Though I'm not sure that question really needs answering since it is likely to lead to lots of different interpretations of subtle points as we are currently seeing with the System Library definition. What struck me as getting closer to the fundamental problem that I am having is the remarks in a later email by Anthony Towns where there are apparently 360 packages on his system that would be removed if he were to remove OpenSSL. I see the positions of the different people who have responded to this question about linking Bacula with OpenSSL, and though I obviously cannot agree with everyone, since there are opposing interpretations, I can say that each has valid points. To me the issue is much more fundamental. Apparently the problem with OpenSSL is one of an "onerous advertising clause", which I don't find so onerous -- so the authors want their names acknowledged for the work they did. In reading the clause that apparently poses the problem: * 3. All advertising materials mentioning features or use of this software *must display the following acknowledgment: *"This product includes cryptographic software written by * Eric Young ([EMAIL PROTECTED])" I have to say, that I am not completely sure what they want. I've tried to ask the authors, but their email addresses seem to be invalid. I've tried to ask the current OpenSSL maintainers, but they have not yet responded to my email. In any case, I have added explicit acknowlegements in the LICENSE file and in the manual. As far as I know these are the only "advertising" materials that are used by Bacula or any of the distros, so I *think* I am in compliance with *their* license. Now, coming back the GPL issue. I can understand why RMS doesn't like the OpenSSL license because of this advertising clause, but what I find *very* hard to understand is why that concerns anyone but me and the people distributing the binaries. We are the only ones who "suffer" from that clause. The bottom line is that I see no harm to either the Free Software movement nor the authors of GPLed software that I use in Bacula, if I comply the best I can with the terms of the OpenSSL license. Right now, license issues seem to be black and white, that is they either work or do not work with GPL period. It seems to me that in the case of OpenSSL, their license is not totally incompatible with GPL, it is just a bit annoying to some people. I don't want to imply that I encourage such licenses, but given the wide spread usage of OpenSSL and the rather trivial nature of this "problem" (IMO), it seems to me that the decision on whether or not software can be linked to the OpenSSL code should be up to the persons distributing the binaries. Because of the large number of packages where some, if not many, probably have the same problem as Bacula, I would appreciate hearing FSF's and RMS' position on this. Best regards, Kern > > -- Brett Smith Licensing Compliance Engineer, Free Software Foundation > > === > > Regards > > Shane > > -- > Shane Coughlan > FTF Coordinator > Free Software Foundation Europe > Office: +41435000366 ext 408 / Mobile: +41792633406 > [EMAIL PROTECTED] > Support Free Software > http://fsfe.org > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bacula and OpenSSL
Simon Josefsson <[EMAIL PROTECTED]> wrote: >>> That is incorrect. The FSF has granted OpenSSL license exceptions to >>> some software that links to OpenSSL. For example, GNU wget. >> >> That's not an example (unless you're intending to show a case where >> FSF allows itself to do things that it forbids others ;-) > I don't follow, what do you mean? GNU wget is distributed under the GPL > with a license exception to permit linking with OpenSSL. It's a GNU project, as noted. > As far as I know, the FSF doesn't forbid anyone to use GPL with an > OpenSSL exception. That's entirely possible, but you haven't provided an example which isn't contaminated by self-interest on the part of FSF. If you can provide such an example, there's something to discuss. -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bacula and OpenSSL
Thomas Dickey <[EMAIL PROTECTED]> writes: >> As far as I know, the FSF doesn't forbid anyone to use GPL with an >> OpenSSL exception. > > That's entirely possible, but you haven't provided an example which > isn't contaminated by self-interest on the part of FSF. If you can > provide such an example, there's something to discuss. The FSF cannot change the license on code they don't own. As far as I understand, what you are looking for do not appear to be possible from a legal point of view. I'm assuming that you would regard any FSF owned code to be "contaminated" by the FSFs' self-interest. What kind of example are you looking for? /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bacula and OpenSSL
Simon Josefsson <[EMAIL PROTECTED]> wrote: > What kind of example are you looking for? The example that you failed to provide in the posting to which I responded. (let's not get sidetracked) -- Thomas E. Dickey http://invisible-island.net ftp://invisible-island.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why is firebird in Debian?
On Thu, 19 Jul 2007 17:40:46 -0700 Anthony Towns wrote: > On Wed, Jul 18, 2007 at 11:58:09PM +0200, Francesco Poli wrote: > > It is my opinion that the MPL license fails to meet the DFSG. > > This opinion seems to be shared by other debian-legal regulars: > > The MPL is an accepted license for main. I'm sorry your opinion > differs, and that the views of other non-DDs and non-maintainers on > the matter have gone uncorrected and left the misleading impression > that there's any question as to whether the MPL is suitable for main. ATATIAAWBI, bla, bla, ... -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? . Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgpuC9sCr6tXM.pgp Description: PGP signature
Re: Why is firebird in Debian?
On 20/07/07, Francesco Poli <[EMAIL PROTECTED]> wrote: > ATATIAAWBI, bla, bla, ... WTFOMGBTWBBQ? - Jordi G. H. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why is firebird in Debian?
On Fri, 20 Jul 2007 00:59:16 +0100 (BST) MJ Ray wrote: > Francesco Poli <[EMAIL PROTECTED]> wrote: > > Could someone explain to me why firebird is in main? > > Because some ftpmaster hit approve, no-one found a bad enough > bug to change it and this plan didn't happen yet: > http://lists.debian.org/debian-legal/2006/03/msg00562.html In your opinion, what's the best course of action, at this point? File a serious bug against each firebird source package (firebird1.5 and firebird2.0), so that we can find out *why* the above-mentioned plan has not yet happened? Anyone volunteers to do a more thorough analysis of the issues (I'm still quite in a rush, sorry)? -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? . Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgpqgAaJ09MQS.pgp Description: PGP signature
Re: Why is firebird in Debian?
On Fri, 20 Jul 2007 13:01:48 -0500 Jordi Gutiérrez Hermoso wrote: > On 20/07/07, Francesco Poli <[EMAIL PROTECTED]> wrote: > > ATATIAAWBI, bla, bla, ... > > WTFOMGBTWBBQ? If this means that you failed to "decode" my shorthand, it means: According To Anthony Towns, I Am Always Wrong Because IANADD/IANAL (try searching for it on a search engine, you'll find the message[1] where I coined the acronym). [1] http://lists.debian.org/debian-legal/2007/06/msg00280.html -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? . Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgpUg9dMSPgVr.pgp Description: PGP signature
Re: Why is firebird in Debian?
Le jeudi 19 juillet 2007 à 17:40 -0700, Anthony Towns a écrit : > On Wed, Jul 18, 2007 at 11:58:09PM +0200, Francesco Poli wrote: > > It is my opinion that the MPL license fails to meet the DFSG. > > This opinion seems to be shared by other debian-legal regulars: > > The MPL is an accepted license for main. Under what rationale did the ftpmasters decide it is OK for Debian not to respect the licenses of software we distribute? -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `-our own. Resistance is futile. signature.asc Description: Ceci est une partie de message numériquement signée
Re: Why is firebird in Debian?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anthony Towns wrote: > On Wed, Jul 18, 2007 at 11:58:09PM +0200, Francesco Poli wrote: >> It is my opinion that the MPL license fails to meet the DFSG. >> This opinion seems to be shared by other debian-legal regulars: > > The MPL is an accepted license for main. I'm sorry your opinion differs, > and that the views of other non-DDs and non-maintainers on the matter > have gone uncorrected and left the misleading impression that there's > any question as to whether the MPL is suitable for main. > > Cheers, > aj > Could you please point me to debian policy as to where and when the MPL was decided to be acceptable use for the project? I've refused to work on past projects due to them being licensed under the MPL based on some discussion had on this list a few months/years? ago. I sure hope I wasn't wrong in doing so. Here's what I've found on the topic, linked from: http://wiki.debian.org/DFSGLicenses http://lists.debian.org/debian-legal/2004/06/msg00221.html http://lists.debian.org/debian-legal/2006/03/msg00551.html I've looked for it, but can't find out where the debian project states that the MPL is DFSG free. Thanks. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGoSeZ9AD5INsV6r8RAqB4AJ4zSAU4PIBb/dyWrN0VyAvFZtZ64ACfSzsc o+rgW1wBNaWHtT4nFGA9/FQ= =usMi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why is firebird in Debian?
On Fri, Jul 20, 2007 at 08:03:37PM +0200, Francesco Poli wrote: > On Fri, 20 Jul 2007 00:59:16 +0100 (BST) MJ Ray wrote: > > Francesco Poli <[EMAIL PROTECTED]> wrote: > > > Could someone explain to me why firebird is in main? > > Because some ftpmaster hit approve, no-one found a bad enough > > bug to change it and this plan didn't happen yet: > > http://lists.debian.org/debian-legal/2006/03/msg00562.html > In your opinion, what's the best course of action, at this point? > File a serious bug against each firebird source package (firebird1.5 and > firebird2.0), so that we can find out *why* [...] Serious bugs are not a tool so you can learn more about Debian. Don't abuse the bug tracking system. Yeesh. Cheers, aj signature.asc Description: Digital signature
Re: Why is firebird in Debian?
On Thu, Jul 19, 2007 at 11:43:17PM -0700, Walter Landry wrote: > So where is the source for old versions stored? The alioth CVS is not > publicly available. On Fri, Jul 20, 2007 at 08:16:45PM +0200, Francesco Poli wrote: > According To Anthony Towns, I Am Always Wrong Because IANADD/IANAL On Fri, Jul 20, 2007 at 10:48:17PM +0200, Josselin Mouette wrote: > Under what rationale did the ftpmasters decide it is OK for Debian not > to respect the licenses of software we distribute? On Fri, Jul 20, 2007 at 02:22:33PM -0700, Dan Serban wrote: > I've refused to work > on past projects due to them being licensed under the MPL based on some > discussion had on this list a few months/years? ago. I sure hope I > wasn't wrong in doing so. Uh, guys, stop being insane. 1) The MPL requires you to make the source code to your modifications available for six-to-twelve months electronically _or_ to make it available on the same media as the executable version. We do the latter. In addition, old sources are available unofficially via snapshot.debian.net, http://snapshot.debian.net/archive/pool/f/firebird2.0/source/Sources.gz 2) That you're not a lawyer or a DD means that you're not trained in interpreting licenses, and that Debian's policies aren't based on your opinion -- in both cases. That means that you're not in a position to speak authoritively about most of the issues that come up on this list, so when what you write is written in a way that people will misinterpret as an authoritative answer, that's a problem, which is only compounded if what you say is also incorrect. Licensing analysis requires an ability to understand subtleties of language, and I wouldn't expect anyone who's competent at that to need the above repeatedly explained. 3) Not understanding the license or how we're complying with it doesn't mean we aren't. 4) That a license is DFSG-free doesn't mean it's "good" any more than a license not being DFSG-free means it's "bad" -- there are lots of reasons to not use DFSG-free licenses or software under the licenses, and there are lots of reasons to use and work on software that's under DFSG-non-free licenses. The DFSG is *Debian's* free software guidelines, that're meant to be useful for *Debian* to make decisions. Personally, if I've got a choice, I don't use licenses that are GPL incompatible, eg, which the MPL certainly is. Another complaint with the MPL is that it's designed for Mozilla, rather than general use by random organisations, which has led to a fair bit of unnecessary license proliferation as people make minor changes to the MPL to apply it to their software. But those considerations aren't ones that make a difference for DFSG-freeness. Cheers, aj signature.asc Description: Digital signature
Re: Why is firebird in Debian?
Anthony Towns, MPL section 3.6 says in relevant part: > You may distribute Covered Code in Executable form only if the > requirements of Sections 3.1, 3.2, 3.3, 3.4 and 3.5 have been met > for that Covered Code, and if You include a notice stating that the > Source Code version of the Covered Code is available under the terms > of this License, including a description of how and where You have > fulfilled the obligations of Section 3.2. IPL section 3.6 is equivalent in relevant part: > You may distribute Covered Code in Executable form only if the > requirements of Section 3.1-3.5 have been met > for that Covered Code, and if You include a notice stating that the > Source Code version of the Covered Code is available under the terms > of this License, including a description of how and where You have > fulfilled the obligations of Section 3.2. I have downloaded and installed firebird2-common 1.5.3.4870-12 which contains a copy of the IPL in /usr/share/doc/firebird2-common/copyright. I am unable to find "a description of how and where You have fulfilled the obligations of Section 3.2", an obligation which you seem to imagine is fulfilled by snapshot.debian.net(fn1). # zgrep -i snapshot.debian.net $(dpkg -L firebird2-common) gzip: /usr/lib/firebird2/firebird.log.gz: No such file or directory gzip: /usr/lib/firebird2/help.gz: No such file or directory # It appears that You are distributing firebird2-common in violation of IPL section 3.6, and therefore in violation of copyright law in many jurisdictions. Did I miss something? --Mike Bird (fn1) For a more rigorous approach, consider a version for which the source is either not available or available only from snapshot. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
