Hi,
Sorry to jump in to this topic a bit late (I'm a loyal list-lurker).
About a year ago, I got annoyed by the fact that netatalk (a tool to provide AFP support) was not compiled with OpenSSL in the Debian distribution, meaning that passwords were not encrypted.
I engaged in a lenghty discussion on the debian-legal mailing list, and also asked the authors of the package about their opinion. Some things I recall about that discussion:
- You, as a person may link a GNU licensed application against OpenSSL (or visa versa, compile a non-GNU compatible app against a GNU library). - However, you may not distribute the resulting binary, since that would be coverd by a single licence according to the FSF, and doing so would violate either the GPL or the OpenSSL licence. - This also applies to dynamic linking, even though the resulting binary does not contain any bit of OpenSSL produced code (!). - This previous statement is a controversial, and not everyone agrees with it. However, so far no-one is willing to go into legal battle over this with the FSF since if they loose, that would mean commercial application can easily incorporate GPL libraries, something the FSF sees as damaging to the open source community. - OpenSSL is not considered 'part of the system libraries', and thus does not fall under that excemption in the GPL. - The exception mentioned (like the one valknut-ssl has) is a good solution. - However, such an exception to the GPL is very, very hard to later add. For example, the netatalk authors were most willing to add it, but felt they could not: they used sources from other GPL-based packages, and did not know anymore who contributed to that. Officialy, they would have to ask each and every contributer to agree with the change in licencing (adding the excempt). This is not practical. - The FSF GPL seems to argue (in their GPL FAQ) that if a (GPL licenced) application has specific code to interface with a non-GPL package, then you may assume that such an exception is implied by the authors of the code. I would then logically conclude, that would imply those authors were at fault by just distributing that specific code interfacing with OpenSSL. However, I am not a lawyer, but had the impression that the legal people did not agree with my logic here. So I gave up. - You can try to compile a package against GnuTLS instead of OpenSSL if you distribute it as a binary. (Note: GnuTLS is a package to mimick OpenSSL, but only under a different, GPL, licence. <sarcasm>So much for the argument that Open Source prevents people from writing the same code twice</sarcasm). - There is no problem if you distribute OpenSSL and a GNU-licenced application as source, and let the user compile it.
Kind regards, Freek Dijkstra
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fink-devel
