Hello. I blogged this one so you can pick up the gist of it below. Otherwise skip the link, read the e-mail.
http://blackfiber.wordpress.com/2007/11/02/cant-redistribute-mod_security-binaries/ The long and short of this is that mod_security has a license conflict with Apache in that the source is all GPL, but when compiled against Apache license (APL) headers it becomes a derivative work of Apache licensed sources (APL headers + GPL source files => compiler => output). Problem is you can't distribute the output of the GPL source under APL; you can't distribute the output of the APL source under GPL. A more farther reaching problem is that some other modules (I've seen mod_ssl pointed out) link with GPL code or contain GPL code and reach the same conflict (but nobody cares), at least according to comments on Lauchpad bug #19832. What we have for options as a whole comes down to two things: - Convince the Apache developers to relicense the Apache headers related to module API to MIT*, so that anyone can distribute any Apache module under any license in source or binary form. - Use the known Apache module API to re-write the Apache headers from scratch under MIT license, In either case, closed source modules also become possible. Anyone closing a GPL'd or APL'd module (mainly my concern is Breach closing mod_security) might cause an XFree86/Xorg style fiasco, where someone just picks off the latest dev sources and picks the project up full open source; then again maybe nobody cares except a few people that can't do so (remember, Xorg is half of XFree86's team, the talent and time were there already). In the case of mod_security, Breach intentionally created the conflict itself for undisclosed business reasons; cleaning this up will irritate Breach Security. In the case of Apache Software Foundation, relicensing the headers may not align to their philosophical view of how Apache modules should be licensed; releasing an Apache header rewrite to circumvent their strategic licensing will irritate them as well. mod_security is extremely useful. Ideally one of a number of things happens: * The license issue gets solved and Breach takes it as it comes, continuing their support business model. If the end user can't compile from source he can't configure mod_security; I want it PACKAGED so I don't have to manually track SECURITY FIXES. I have no qualms with Breach themselves and actually this is probably the best scenario. * Licensing issue does get solved, but Breach freaks out and retaliates via closing the mod_security source. Someone snatches up the latest development branch, and the Apache Software Foundation continues developing their fork as an official Apache subproject. Breach sees the error in judgment and winds up supporting the official Apache distributable as it branches farther away from theirs, and eventually supplies developers and code to re-merge with the new project. * License issue does not get solved, and the Apache foundation creates a competing module to distribute with Apache HTTP Server's core distribution. (I'm tempted, worst case scenario) Of course we don't live in an ideal world so a lot of stuff that would be great probably won't happen. Still, I'm putting the idea out there for comment. *BSD sits on unstable legal grounds as per random analysis brought up by people who seem to have just figured this out for themselves from time to time. MIT does the same thing people like to think BSD does; I like to avoid the whole dispute by just saying MIT. -- Bring back the Firefox plushy! http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good https://bugzilla.mozilla.org/show_bug.cgi?id=322367 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
