On Saturday, June 20, 2015, Daniel Johnson <daniel.johnso...@gmail.com> wrote:
> > > On Jun 20, 2015, at 7:03 PM, Daniel Johnson <daniel.johnso...@gmail.com > <javascript:;>> wrote: > > > > > >> On Jun 20, 2015, at 6:49 PM, Alexander Hansen < > alexanderk.han...@gmail.com <javascript:;>> wrote: > >> > >> > >>> On Jun 20, 2015, at 15:03, Daniel Johnson <daniel.johnso...@gmail.com > <javascript:;>> wrote: > >>> > >>> > >>>> On Jun 20, 2015, at 4:58 PM, Alexander Hansen < > alexanderk.han...@gmail.com <javascript:;>> wrote: > >>>> > >>>> Since the system’s OpenSSL is going away for 10.11 we’ve got a bit of > a pickle. > >>>> > >>>> My understanding is that our packages that use openssl100-dev and > have binaries are now technically in violation of the openssl license, > which only allows redistribution against an OpenSSL which is shipped with > the OS. > >>>> > >>>> 1) Is this still true? If so, then we need to start tagging them as > Restrictive. > >>>> 2) Does LibreSSL have the same restriction? If not, can we convert > over to use that? > >>>> > >>>> -- > >>>> Alexander Hansen, Ph.D. > >>>> Fink User Liaison > >>>> > >>> > >>> 1) IANAL, so I can’t answer this, but the issue isn’t that OpenSSL’s > license forbids distribution. The problem is that because of OpenSSL’s > “original” BSD license with the advertising clause, it is incompatible with > the GPL. The GPL *does* allow linking to libraries that come with an OS, so > that’s where the workaround used to be. > >>> > >>> 2) LibreSSL (and BoringSSL but we don’t have that package) is a fork > of OpenSSL and therefore must use the same license. I believe they have > been trying to get things relicensed but that’s an almost impossible job > since there’s some really old code in there. > >>> > >>> Daniel > >>> > >> > >> 1+2) Ah. gotcha. As a simple base example then, is our cvs package, > which uses openssl100, in violation? And if so, do we have to mark it as > Restrictive? Or worse yet, pull it and stop supporting selfupdate-cvs on > distributions where Xcode doesn’t have cvs ? > >> > >> -- > >> Alexander Hansen, Ph.D. > >> Fink User Liaison > >> > > > > This is a good run-down: > https://people.gnome.org/~markmc/openssl-and-the-gpl.html > > > > Some packages have an explicit “OpenSSL is Ok” clause added to the GPL. > cvs does not, but looking at the code, it looks like libcrypto is only used > as a requirement for Kerberos and Apple’s Kerberos doesn’t need that. I’ll > have to look at it closer. It may be possible to drop the dep. > > > > Daniel > > > > Ok, cvs doesn’t link to or even check for openssl. The dep is probably a > relic of an old Kerberos.framework that published -lcrypto in its config > program. I’ve removed the dep and reved up. Fedora doesn't have a build dependency on OpenSSL for their cvs package but does build it against a MIT licensed krb5 which in turn is built against OpenSSL. > Daniel > > >
------------------------------------------------------------------------------
_______________________________________________ Fink-devel mailing list Fink-devel@lists.sourceforge.net List archive: http://news.gmane.org/gmane.os.apple.fink.devel Subscription management: https://lists.sourceforge.net/lists/listinfo/fink-devel