[openssl-dev] License change agreement

[Florian Weimer]

* Kurt Roeckx:

> On Fri, Mar 24, 2017 at 08:02:25PM +0100, Florian Weimer wrote:
>> * Quanah Gibson-Mount:
>> 
>> > Zero people that I know of are saying to switch to the GPL.  What is
>> > being pointed out is that the incompatibility with the current
>> > OpenSSL license with the GPLv2 has been a major problem.
>> 
>> The alleged incompatibility of OpenSSL with the GPLv2 has been used to
>> promote GNUTLS in the past (and to a much lesser extent, a certain
>> crypto consolidation effort intending to switch everything to NSS).
>> But GNUTLS has since left the GNU project, and I'm not aware of anyone
>> on the distribution side still saying that the old OpenSSL license
>> (particular when used as a dynamically-linked system library) and the
>> GPLv2 are incompatible.  It's just not considered a problem anymore.
>
> As far as I know, for Debian it's still a problem that a GPL
> application links to openssl.
>
> A few examples:
> - We have multiple curl versions, linked to openssl, gnutls, nss.
>   And you then have to build against the correct one for license
>   reasons.
> - QT (which is LGPL?) does not itself link to libssl but can
>   dynamically load it so that GPL applications can use QT assuming
>   they don't use SSL.
> - We have asked upstream projects to add an openssl exception to
>   their GPL license.

A few examples from Debian for the reverse:

- cgit links against libssl1.1 and is GPLv2
- tcpflow has GPLv2 pieces and links against libssl1.1
- many GPLv1 and GPLv2 programs which link against libgcc
  (which is GPLv3 with an exception, but one that arguably
  does not make it GPLv2-compatible)

I also found a few packages with an OpenSSL exception which have
merged GPL code from other sources who may or may not have agreed to
the exception.

It's probably marginally more productive to continue this discussion
on a Debian list (not that I think anymore that this discussion
matters).