Bacula and OpenSSL

Shane M. Coughlan · External Since: Jul 12, 2007 Posts: 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Steve

Steve Langasek wrote:
> I agree that the GPLv3 is not "compatible" with the OpenSSL license, in the
> sense that code licensed under the OpenSSL license cannot be included in a
> GPLv3 work. However, the GPLv3 does include a broader (if no more easily
> understood) system exception clause, which seems to allow distributing GPLv3
> binaries that are /dynamically linked/ against OpenSSL. Is this not the
> position of FSF/FSF Europe?

I discussed this issue with Brett Smith of FSF, and as a result of this
he wrote the following brief summary:

===

We do not believe that OpenSSL qualifies as a System Library in Debian.
The System Library definition is meant to be read narrowly, including
only code that accompanies genuinely fundamental components of the
system. I don't see anything to suggest that that's the case for
OpenSSL in Debian: the package only has important priority (as opposed
to glibc's required), there are only about 350 packages depending on it
(as opposed to glibc's 8500), and it isn't installed on a base system.
To put it plainly, if OpenSSL actually were a System Library, I would
expect it to look more like one.

- -- Brett Smith Licensing Compliance Engineer, Free Software Foundation

===

Regards

Shane

- --
Shane Coughlan
FTF Coordinator
Free Software Foundation Europe
Office: +41435000366 ext 408 / Mobile: +41792633406
coughlan.RemoveThis@fsfeurope.org
Support Free Software > http://fsfe.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRp9ziNGa7CzA5hXyAQIeqgQA5Mh8Z4gGTebZlnjrarafevRfHDscrl2n
8eAv6tNOXAX1xPCdEOrtKwIsXGb7NaPKQN6++0HjLRpYbogTsCJY1MBRL7UrE1DT
cPwoKByg6rEV+0AcGEprhlSftIEzpHoCavRBc6DIs9Z56tTqsV11sIZIqQOpaAuB
QigobVJggsU=
=/u7s
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Shane M. Coughlan · External Since: Jul 12, 2007 Posts: 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kern Sibbald wrote:
> Well, it is pretty general purpose. None of the FSF code is network or TLS
> related. The FSF files involved are:
> src/lib/fnmatch.h FSF
> src/lib/fnmatch.c FSF
> src/lib/enh_fnmatch.h FSF
> src/lib/enh_fnmatch.c FSF (fnmatch enhanced by us)
> src/lib/idcache.c FSF (from tar I think)
> src/findlib/save-cwd.c FSF (from tar I think)
> src/findlib/makepath.c FSF (from tar I think)

Just an update for everyone. The FSF (as the copyright holder) is
currently in discussions with Kern to see if they can help resolve this
issue for the Bacula project. Smile

Regards

Shane

- --
Shane Coughlan
FTF Coordinator
Free Software Foundation Europe
Office: +41435000366 ext 408 / Mobile: +41792633406
coughlan DeleteThis @fsfeurope.org
Support Free Software > http://fsfe.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRp96a9Ga7CzA5hXyAQIw0QP/bNNtBxlQneasdV7+4QF+Q16BNYebPUag
qkWVPqL5H5I62FNmaQL1IvkMZ0welCCKGdeOb9AUxIVHWuL562mtdYiOz8dbcOKg
ruHiUYGYpVWj5QOXreAwsnjnZMHfxl6YJMeGK+4mv3gFIwN6CxvLjDO2b7+M5Sq5
FaU1hGid8l4=
=8OM8
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-legal-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Joe Smith · External Since: Jun 12, 2005 Posts: 78

I agree with AJ's statements and add only this:

Apt is priority important. That is the same priority as openssl.
Apt has relativly few revese dependencies (it appears to have less than
openssl does). But libapt is without any doubt
a system library under the GPLv3. It accompanies apt which is without doubt
a "genuinely fundamental component of the
system". So I'm thinking the Brett's criteria are not quite ideal.

--
To UNSUBSCRIBE, email to debian-legal-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Simon Josefsson · External Since: Oct 24, 2006 Posts: 82

Thomas Dickey <dickey.TakeThisOut@saltmine.radix.net> writes:

> Simon Josefsson <simon.TakeThisOut@josefsson.org> wrote:
>> Kern Sibbald <kern.TakeThisOut@sibbald.com> writes:
>
>>>> GPL + OpenSSL exception would be enough to be sure. You may have more
>>>> luck convincing copyright owners to grant an OpenSSL exception than to
>>>> accept an entirely new license.
>>>
>>> I am told that FSF never grants exceptions so this is a hopeless path that I
>>> have already explored.
>
>> That is incorrect. The FSF has granted OpenSSL license exceptions to
>> some software that links to OpenSSL. For example, GNU wget.
>
> That's not an example (unless you're intending to show a case where
> FSF allows itself to do things that it forbids others Wink

I don't follow, what do you mean? GNU wget is distributed under the GPL
with a license exception to permit linking with OpenSSL.

As far as I know, the FSF doesn't forbid anyone to use GPL with an
OpenSSL exception.

/Simon

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Kern Sibbald · External Since: Jun 29, 2006 Posts: 43

Hello Shane,

On Thursday 19 July 2007 16:22, Shane M. Coughlan wrote:
> Dear Steve
>
> Steve Langasek wrote:
> > I agree that the GPLv3 is not "compatible" with the OpenSSL license, in
the
> > sense that code licensed under the OpenSSL license cannot be included in a
> > GPLv3 work. However, the GPLv3 does include a broader (if no more easily
> > understood) system exception clause, which seems to allow distributing
GPLv3
> > binaries that are /dynamically linked/ against OpenSSL. Is this not the
> > position of FSF/FSF Europe?
>
> I discussed this issue with Brett Smith of FSF, and as a result of this
> he wrote the following brief summary:
>
> ===
>
> We do not believe that OpenSSL qualifies as a System Library in Debian.
> The System Library definition is meant to be read narrowly, including
> only code that accompanies genuinely fundamental components of the
> system. I don't see anything to suggest that that's the case for
> OpenSSL in Debian: the package only has important priority (as opposed
> to glibc's required), there are only about 350 packages depending on it
> (as opposed to glibc's 8500), and it isn't installed on a base system.
> To put it plainly, if OpenSSL actually were a System Library, I would
> expect it to look more like one.

Thanks for following up on this. However, I am not sure that Brett answered
the "technical" point concerning the GPLv3 that was brought up by Steve.
Though I'm not sure that question really needs answering since it is likely
to lead to lots of different interpretations of subtle points as we are
currently seeing with the System Library definition.

What struck me as getting closer to the fundamental problem that I am having
is the remarks in a later email by Anthony Towns where there are apparently
360 packages on his system that would be removed if he were to remove
OpenSSL.

I see the positions of the different people who have responded to this
question about linking Bacula with OpenSSL, and though I obviously cannot
agree with everyone, since there are opposing interpretations, I can say that
each has valid points.

To me the issue is much more fundamental. Apparently the problem with OpenSSL
is one of an "onerous advertising clause", which I don't find so onerous --
so the authors want their names acknowledged for the work they did. In
reading the clause that apparently poses the problem:

* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgment:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"

I have to say, that I am not completely sure what they want. I've tried to
ask the authors, but their email addresses seem to be invalid. I've tried to
ask the current OpenSSL maintainers, but they have not yet responded to my
email.

In any case, I have added explicit acknowlegements in the LICENSE file and in
the manual. As far as I know these are the only "advertising" materials that
are used by Bacula or any of the distros, so I *think* I am in compliance
with *their* license.

Now, coming back the GPL issue. I can understand why RMS doesn't like the
OpenSSL license because of this advertising clause, but what I find *very*
hard to understand is why that concerns anyone but me and the people
distributing the binaries. We are the only ones who "suffer" from that
clause. The bottom line is that I see no harm to either the Free Software
movement nor the authors of GPLed software that I use in Bacula, if I comply
the best I can with the terms of the OpenSSL license.

Right now, license issues seem to be black and white, that is they either work
or do not work with GPL period. It seems to me that in the case of OpenSSL,
their license is not totally incompatible with GPL, it is just a bit annoying
to some people.

I don't want to imply that I encourage such licenses, but given the wide
spread usage of OpenSSL and the rather trivial nature of this "problem"
(IMO), it seems to me that the decision on whether or not software can be
linked to the OpenSSL code should be up to the persons distributing the
binaries.

Because of the large number of packages where some, if not many, probably have
the same problem as Bacula, I would appreciate hearing FSF's and RMS'
position on this.

Best regards,

Kern

>
> -- Brett Smith Licensing Compliance Engineer, Free Software Foundation
>
> ===
>
> Regards
>
> Shane
>
> --
> Shane Coughlan
> FTF Coordinator
> Free Software Foundation Europe
> Office: +41435000366 ext 408 / Mobile: +41792633406
> coughlan DeleteThis @fsfeurope.org
> Support Free Software > http://fsfe.org
>

--
To UNSUBSCRIBE, email to debian-legal-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Steve Langasek · External Since: Dec 13, 2004 Posts: 2140

Hi Shane,

On Thu, Jul 19, 2007 at 04:22:06PM +0200, Shane M. Coughlan wrote:

> Steve Langasek wrote:
> > I agree that the GPLv3 is not "compatible" with the OpenSSL license, in the
> > sense that code licensed under the OpenSSL license cannot be included in a
> > GPLv3 work. However, the GPLv3 does include a broader (if no more easily
> > understood) system exception clause, which seems to allow distributing GPLv3
> > binaries that are /dynamically linked/ against OpenSSL. Is this not the
> > position of FSF/FSF Europe?

> I discussed this issue with Brett Smith of FSF, and as a result of this
> he wrote the following brief summary:

> ===

> We do not believe that OpenSSL qualifies as a System Library in Debian.
> The System Library definition is meant to be read narrowly, including
> only code that accompanies genuinely fundamental components of the
> system. I don't see anything to suggest that that's the case for
> OpenSSL in Debian: the package only has important priority (as opposed
> to glibc's required), there are only about 350 packages depending on it
> (as opposed to glibc's 8500), and it isn't installed on a base system.
> To put it plainly, if OpenSSL actually were a System Library, I would
> expect it to look more like one.

> - -- Brett Smith Licensing Compliance Engineer, Free Software Foundation

> ===

IMHO that would be a rather unfortunate position for the FSF to take, as it
would mean the changes to the system exception clause are *only* of benefit
to distributors of proprietary operating systems, while GNU/Linux
distributors are left with the same license compatibility problems as ever.

But as AJ noted, the above analysis seems to get some facts wrong. In
addition to the fact that OpenSSL is part of the base system, the count of
reverse-dependencies seems to be off somewhat. There are 461 packages in
etch that depend on libssl0.9.8, plus another 11 depending on the
libssl0.9.7 that we aren't quite rid of. Of course that's nothing close to
glibc's 8500, but if we were to look at some of the individual libraries
within the libc6 package, like librt, libnsl, libm, or libdl, I would expect
that openssl's usage within Debian is at least within an order of magnitude
of some of these. Surely if libraries such as these qualify as System
Libraries (and I should hope they do!), shouldn't libssl qualify too?

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon.TakeThisOut@debian.org http://www.debian.org/

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Thomas Dickey · External Since: Aug 09, 2006 Posts: 96

Simon Josefsson <simon.DeleteThis@josefsson.org> wrote:
>>> That is incorrect. The FSF has granted OpenSSL license exceptions to
>>> some software that links to OpenSSL. For example, GNU wget.
>>
>> That's not an example (unless you're intending to show a case where
>> FSF allows itself to do things that it forbids others Wink

> I don't follow, what do you mean? GNU wget is distributed under the GPL
> with a license exception to permit linking with OpenSSL.

It's a GNU project, as noted.

> As far as I know, the FSF doesn't forbid anyone to use GPL with an
> OpenSSL exception.

That's entirely possible, but you haven't provided an example which
isn't contaminated by self-interest on the part of FSF. If you can
provide such an example, there's something to discuss.

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org

Simon Josefsson · External Since: Oct 24, 2006 Posts: 82

Thomas Dickey <dickey RemoveThis @saltmine.radix.net> writes:

>> As far as I know, the FSF doesn't forbid anyone to use GPL with an
>> OpenSSL exception.
>
> That's entirely possible, but you haven't provided an example which
> isn't contaminated by self-interest on the part of FSF. If you can
> provide such an example, there's something to discuss.

The FSF cannot change the license on code they don't own. As far as I
understand, what you are looking for do not appear to be possible from a
legal point of view. I'm assuming that you would regard any FSF owned
code to be "contaminated" by the FSFs' self-interest.

What kind of example are you looking for?

/Simon

--
To UNSUBSCRIBE, email to debian-legal-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org

Thomas Dickey · External Since: Aug 09, 2006 Posts: 96

Simon Josefsson <simon.TakeThisOut@josefsson.org> wrote:

> What kind of example are you looking for?

The example that you failed to provide in the posting to which I responded.
(let's not get sidetracked)

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org

Shane M. Coughlan · External Since: Jul 12, 2007 Posts: 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RE: The FSF position regarding OpenSSL as a system library in Debian.

> ===
>
> We do not believe that OpenSSL qualifies as a System Library in Debian.
> The System Library definition is meant to be read narrowly, including
> only code that accompanies genuinely fundamental components of the
> system. I don't see anything to suggest that that's the case for
> OpenSSL in Debian: the package only has important priority (as opposed
> to glibc's required), there are only about 350 packages depending on it
> (as opposed to glibc's 8500), and it isn't installed on a base system.
> To put it plainly, if OpenSSL actually were a System Library, I would
> expect it to look more like one.
>
> -- Brett Smith Licensing Compliance Engineer, Free Software Foundation
>
> ===

Steve, Kern and Anthony all made comments regarding the statement above.
I just wanted to let you know that I've forwarded these comments to
Brett Smith. Smile

Best regards

Shane

- --
Shane Coughlan
FTF Coordinator
Free Software Foundation Europe
Office: +41435000366 ext 408 / Mobile: +41792633406
coughlan DeleteThis @fsfeurope.org
Support Free Software > http://fsfe.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRqWzwdGa7CzA5hXyAQJqEwQApMLgHexbnbETjga1Vj3MJN8qMHnWX3uw
mpo/8O73LHoBSgUTll+G9pidyy+xe8o39F7l3m4QbmN5u5IN6XcHI1nwynMyVcT1
FKL9cMf7woDYxBhKQv9kUK29Hq73SiFF5DMd2yPm0pO1tNHrS/XBvzeYetgB6YSm
VuPARJ+FuC4=
=Xk30
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-legal-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Shane M. Coughlan · External Since: Jul 12, 2007 Posts: 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all

Following comments on FSF's position regarding OpenSSL as a System
Library in Debian, Brett Smith at FSF sent the following message:

===

I apologize for my misunderstandings about OpenSSL's status in Debian,
and appreciate the corrections. However, even given all this
information, I still don't see how OpenSSL meets part (a) of the System
Library definition. What is the Major Component that OpenSSL
accompanies? Kernels always come with C libraries, and GCC always comes
with libgcc. What package comes with OpenSSL? I understand that there
are some pretty important applications that require OpenSSL, such as
apt, but that's not the same thing as accompanying apt. Moreover,
"pretty important" isn't the same thing as "essential" in the very
narrow sense the license aims to define it in.

===

I hope this helps clarify things. Smile

Regards

Shane

- --
Shane Coughlan
FTF Coordinator
Free Software Foundation Europe
Office: +41435000366 ext 408 / Mobile: +41792633406
coughlan DeleteThis @fsfeurope.org
Support Free Software > http://fsfe.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRqYWZdGa7CzA5hXyAQJm9wP/eHCZAkZFQNR1+aliIzJqQ8o4CA2CMU87
MQ98NQubX/fd0Cai34Ue9hu4m8nqS2Eo0zbw9+1TYpHZ29N6HvQW5IwAv32FkBPI
ah/aLgmjnlFlcBJAjTfQo2jswHyxUwmRI0CFnAK8J6E1AB2sriBceHgGZdrVs770
ux0SMFlnsqk=
=kl+r
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-legal-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org

Michael Poole · External Since: Apr 12, 2004 Posts: 135

Shane M. Coughlan writes:

> Dear all
>
> Following comments on FSF's position regarding OpenSSL as a System
> Library in Debian, Brett Smith at FSF sent the following message:
>
> ===
>
> I apologize for my misunderstandings about OpenSSL's status in Debian,
> and appreciate the corrections. However, even given all this
> information, I still don't see how OpenSSL meets part (a) of the System
> Library definition. What is the Major Component that OpenSSL
> accompanies? Kernels always come with C libraries, and GCC always comes
> with libgcc. What package comes with OpenSSL? I understand that there
> are some pretty important applications that require OpenSSL, such as
> apt, but that's not the same thing as accompanying apt. Moreover,
> "pretty important" isn't the same thing as "essential" in the very
> narrow sense the license aims to define it in.
>
> ===
>
> I hope this helps clarify things. Smile

I (as neither Debian Developer nor lawyer) think it makes things more
arbitrary, in particular the distinction between "come with" and
"require".

Which kernels come with C libraries in a different sense than they
come with a large set of other binaries? When I download the Linux
kernel, it does not include any C library; when I download or update
the various free BSDs, they include the kernel, a C library, all of
gcc, and a variety of other GPLed works that are not System Libraries.

On the other hand, libgcc is distributed (by the FSF) with the rest of
GCC -- but is that not because it is part of GCC? To pick an example,
libgcc includes crtstuff.c from the main gcc directory. The copyright
comment at the start of that file says "This file is part of GCC."
The libgcc directory includes a variety of linker scripts and build
directives, but no separate source code. Distributors usually sever
libgcc from the gcc binary, so that libgcc is distributed separately
from the packages containing the gcc compilers.

(Also: If, for a modern packaging system, a compiler is "essential"
but the packaging system is not, the FSF needs to have its head
re-examined.)

Michael Poole

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Kern Sibbald · External Since: Jun 29, 2006 Posts: 43

On Tuesday 24 July 2007 10:09, Shane M. Coughlan wrote:
> RE: The FSF position regarding OpenSSL as a system library in Debian.
>
> > ===
> >
> > We do not believe that OpenSSL qualifies as a System Library in Debian.
> > The System Library definition is meant to be read narrowly, including
> > only code that accompanies genuinely fundamental components of the
> > system. I don't see anything to suggest that that's the case for
> > OpenSSL in Debian: the package only has important priority (as opposed
> > to glibc's required), there are only about 350 packages depending on it
> > (as opposed to glibc's 8500), and it isn't installed on a base system.
> > To put it plainly, if OpenSSL actually were a System Library, I would
> > expect it to look more like one.
> >
> > -- Brett Smith Licensing Compliance Engineer, Free Software Foundation
> >
> > ===
>
> Steve, Kern and Anthony all made comments regarding the statement above.
> I just wanted to let you know that I've forwarded these comments to
> Brett Smith. Smile

OK, thanks.

Concerning Brett's most recent answer: I have to agree that OpenSSL is not a
System Library in the very strict sense of the word.

Regards,

Kern

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org

Shane M. Coughlan · External Since: Jul 12, 2007 Posts: 9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Michael, Anthony

I just wanted to let you know that I have forwarded your comments and
feedback regarding GPLv3, OpenSSL and System Libraries to Brett Smith,
licence engineer at FSF. Smile

Regards

Shane

- --
Shane Coughlan
FTF Coordinator
Free Software Foundation Europe
Office: +41435000366 ext 408 / Mobile: +41792633406
coughlan.TakeThisOut@fsfeurope.org
Support Free Software > http://fsfe.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQCVAwUBRq26DNGa7CzA5hXyAQKc7gP8C9eBbRSOW4jdne9Qpzx3cfFi9WKEDqf8
IgUXvktnSEdSbKV2pfEVD5Y3YaVUkZfnXqTbqrpdB4qykoh2uODgS8eBiRgX2Lf3
8dxLVbjim/SdBeeLdGexd8R/4SwZGFPiNUE8CEkqGHFsCSCuxoxPjl+U9Ki7S1ia
lJVzpjUOkqQ=
=cUyh
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-legal-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org