Hi, I would like openssl to be considered a system library in Ubuntu. As a developer, it seems very clear to me that it is essentially treated as such with it's penetration in packages probably as common as other shared libraries.
I would suggest that an openssl derived libssl.so being included in the default Launchpad buildd chroots substantiates this, along with other core libraries. In addition, I do not believe any Ubuntu media avoids installing openssl by default. One of the common bug and feature requests we get is squid to support SSL[0][1]. We know that a significant volume of openssl users, take the source package and make minimal modifications to rebuild it locally, with openssl support. Judging from the bug reports, this also seems to affect ubuntu.com’s services that use SSL (ie, the Ubuntu packages are not even fit for Ubuntu infrastructure). I believe this to be both a usability and potentially more importantly, a security issue as a large volume of users are being compelled to use custom packages that does not benefit from the Main archive security support it normally would. An upstream exception has been sought, but due to lack of centralised copyright handling - it has not been viable to get all the copyright holders in agreement. Additionally, work to support gnutls could also be invested - This is making some progress, but has been slow. As Ubuntu’s primary intention is to be a distribution, we have not been able to justify resources to work on this. We are now seeing a similar issue with mongodb, and would ask for clarification that openssl is considered a “system library”, and therefore allow openssl support by-default, in packages that can make use of it. This would seem to be in the best interest of users. This being said, as good Free Software advocates - I would like to stipulate that every effort should be made to draw upstream copyright holders to granting an OpenSSL exception, and this is a pragmatic direction, whilst being faithful to Ubuntu’s free software commitments. I would like to draw contrast with other Linux distributions that consider such matters. One is distribution Fedora, where they seem to specifically outline that they consider openssl to be a system library[2]. [0] https://bugs.launchpad.net/ubuntu/+source/squid/+bug/16669 [1] https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1088971 [2] https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F Thanks. -- Kind Regards, Dave Walker <dave.wal...@canonical.com> Engineering Manager, Ubuntu Server -- technical-board mailing list technical-board@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/technical-board
