On Saturday, June 20, 2015, Daniel Johnson <daniel.johnso...@gmail.com>
wrote:

>
> > On Jun 20, 2015, at 7:03 PM, Daniel Johnson <daniel.johnso...@gmail.com
> <javascript:;>> wrote:
> >
> >
> >> On Jun 20, 2015, at 6:49 PM, Alexander Hansen <
> alexanderk.han...@gmail.com <javascript:;>> wrote:
> >>
> >>
> >>> On Jun 20, 2015, at 15:03, Daniel Johnson <daniel.johnso...@gmail.com
> <javascript:;>> wrote:
> >>>
> >>>
> >>>> On Jun 20, 2015, at 4:58 PM, Alexander Hansen <
> alexanderk.han...@gmail.com <javascript:;>> wrote:
> >>>>
> >>>> Since the system’s OpenSSL is going away for 10.11 we’ve got a bit of
> a pickle.
> >>>>
> >>>> My understanding is that our packages that use openssl100-dev and
> have binaries are now technically in violation of the openssl license,
> which only allows redistribution against an OpenSSL which is shipped with
> the OS.
> >>>>
> >>>> 1)  Is this still true?  If so, then we need to start tagging them as
> Restrictive.
> >>>> 2)  Does LibreSSL have the same restriction?  If not, can we convert
> over to use that?
> >>>>
> >>>> --
> >>>> Alexander Hansen, Ph.D.
> >>>> Fink User Liaison
> >>>>
> >>>
> >>> 1) IANAL, so I can’t answer this, but the issue isn’t that OpenSSL’s
> license forbids distribution. The problem is that because of OpenSSL’s
> “original” BSD license with the advertising clause, it is incompatible with
> the GPL. The GPL *does* allow linking to libraries that come with an OS, so
> that’s where the workaround used to be.
> >>>
> >>> 2) LibreSSL (and BoringSSL but we don’t have that package) is a fork
> of OpenSSL and therefore must use the same license. I believe they have
> been trying to get things relicensed but that’s an almost impossible job
> since there’s some really old code in there.
> >>>
> >>> Daniel
> >>>
> >>
> >> 1+2)  Ah.  gotcha.  As a simple base example then, is our cvs package,
> which uses openssl100, in violation?  And if so, do we have to mark it as
> Restrictive?  Or worse yet, pull it and stop supporting selfupdate-cvs on
> distributions where Xcode doesn’t have cvs ?
> >>
> >> --
> >> Alexander Hansen, Ph.D.
> >> Fink User Liaison
> >>
> >
> > This is a good run-down:
> https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> >
> > Some packages have an explicit “OpenSSL is Ok” clause added to the GPL.
> cvs does not, but looking at the code, it looks like libcrypto is only used
> as a requirement for Kerberos and Apple’s Kerberos doesn’t need that. I’ll
> have to look at it closer. It may be possible to drop the dep.
> >
> > Daniel
> >
>
> Ok, cvs doesn’t link to or even check for openssl. The dep is probably a
> relic of an old Kerberos.framework that published -lcrypto in its config
> program. I’ve removed the dep and reved up.


Fedora doesn't have a build dependency on OpenSSL for their cvs package but
does build it against a MIT licensed krb5 which in turn is built against
OpenSSL.


> Daniel
>
>
>
------------------------------------------------------------------------------
_______________________________________________
Fink-devel mailing list
Fink-devel@lists.sourceforge.net
List archive:
http://news.gmane.org/gmane.os.apple.fink.devel
Subscription management:
https://lists.sourceforge.net/lists/listinfo/fink-devel

Reply via email to