Am 25.02.20 um 23:38 schrieb Marco d'Itri:
> Control: found 26+20191223-1
>
> On Feb 23, Bastian Germann <bastiangerm...@fishpost.de> wrote:
>
>> All of the GPL-2+ licensed executables contained in the kmod
>> binary package link to libcrypto even though they do not have any
>> OpenSSL license exception. ftp-master considers this a serious
>> issue. So please remove this optional dependency or ask upstream
>> for a license exception.
> The large number of contributors to kmod obviously makes impossible
> getting a license exception, also considering that only Debian
> cares about linking GPL'ed software with OpenSSL.
>
> Since only libkmod (which is LGPL'ed), and not the actual commands,
> is linked with OpenSSL, and the libkmod symbols do not change
> depending if OpenSSL support is enabled or not, and the patches
> which introduced OpenSSL support did not touch the commands, then I
> think that the commands are obviously not a derivative work of
> OpenSSL. You can also easily verify that the commands are not
> linked with OpenSSL by looking at the build logs of the package.
$ ldd /bin/*mod /sbin/*mod*
/bin/kmod:
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/bin/lsmod:
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/depmod
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/insmod:
libcrypto.so.1.1 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1/sbin/lsmod:
libcrypto.so.1.1 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1/sbin/modinfo:
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/modprobe:
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
/sbin/rmmod:
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
buster's amd64 binaries are actually directly linked with libcrypto;
readelf says "(NEEDED) Shared library: [libcrypto.so.1.1]"
Even if they were linked with libcrypto via libkmod it would not make
any difference.
> Also, the next major release of OpenSSL will be relicensed with the
> ASLv2 anyway, which is compatible with the GPLv3.
That will help for bullseye+ but not for buster.
> For these reasons I have no interest and no plans to do anything
> about this, and I am quite annoyed that I had to spend my time
> researching these details and then explaining them to you.
You don't care and I am fine with that since I am not the maintainer
of the package. But I wanted to report the issue anyway since the
legal team's comments on that matter are unanimous.
