Hello list, I have been working in merging open-iscsi package:
https://salsa.debian.org/rafaeldtinoco-guest/open-iscsi/-/commits/experimental with open-iscsi project upstream: https://github.com/open-iscsi/open-iscsi/ and also cleaning up the open-iscsi package a bit (thus will have to give special attention to hooks and debian-installer to check if there are no regressions). But this is no the important part, apart from the FYIO so far, the important part is that Debian maintainer, when running lintian, has found the OpenSSL being linked to GPL code: https://github.com/open-iscsi/open-iscsi/issues/208 Turns out upstream developers are using OpenSSL for the new CHAP authentication mechanisms. There is no support for gnu-tls nor libnss so far. With all that said, I would like to know IF adding the OpenSSL disclaimer + GPL w/ OpenSSL disclaimer in the upstream license would be "good enough" for Ubuntu to allow the features, like stated here: https://github.com/open-iscsi/open-iscsi/issues/208#issuecomment-628076437 """ Hi @rickysarraf -- I disagree that this dependency was created with recent changes -- open-iscsi depended on openssl before that, if I understand correctly. The change you reference just required a newer version of SSL. @cleech , please correct me if I'm wrong. I know virtually nothing about this code, since Chris made these changes. After looking at this reference I found, I believe adding a disclaimer to our license might be a good enough work around. I also have no objections to changing to a different encryption package, though openssl does seem to be the best. I'm personally not worried about this. I think people have better things to do than to rip off open-iscsi/openssl code. But I'm also not a lawyer. """ and defended here: https://github.com/open-iscsi/open-iscsi/issues/208#issuecomment-628775520 """ I know Fedora has taken the position that OpenSSL is a system library as defined by the GPL, which is probably why I didn't run into issues with license check tools when I added the OpenSSL code. I'd consider a patch to disable OpenSSL use, but our build isn't in the best shape for those types of options right now. I'd be happier to add an OpenSSL exemption if there was a standard form that would keep other distros happy. """ INDEPENDENTLY of this discussion, I have already prepared a patch removing the openssl need and restoring MD5 only behavior, but keeping the new authentication logic, here: https://github.com/rafaeldtinoco/open-iscsi/commit/cc231b68e3d1356fd60d512661d32172d1e42f19 It is very likely that I'll have to use this for Debian package, but I was wondering if we should consider restoring OpenSSL linking and features for Ubuntu. I'm really not a licensing person, so for me this is a ok-ok situation, no matter the decision. Could someone help me taking that decision ? Thanks for reading so far. Best, -rafaeldtinoco -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
