[cvsnt-dev] Re: Legal concerns about OpenSSL

Tony Hoyle tony.hoyle at march-hare.com
Thu Oct 20 14:46:01 BST 2005

Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.

Andreas Tscharner wrote:
> Hello Tony, hello World,
> 
> The CVSNT package has been uploaded by my sponsor, but it was on hold 
> more than a week, so I investigated a bit why...
> 
> The OpenSSL FAQ about use with GPL software: 
> http://www.openssl.org/support/faq.html#LEGAL2
> 
> On the Debian Reject-FAQ (http://ftp-master.debian.org/REJECT-FAQ.html), 
> I've found a note that it's OK to link with OpenSSL if the author gives 
> a license exception to explicitely permit that.
> 
> Is there any notice or something in the source, binary program or on the 
> webpage, so I can reference to it?
> 
As the openssl site states, the situation is far from clear (people have 
said the same about the MS Runtimes in the past... it's even an issue 
whether a GPL Java or .NET program is legally possible..).

I can exempt sserver easily enough but not the main cvsnt code - which 
is still probably over 80% owned by numerous other people, so in the 
strictest interpretation (which debian usually use.. in fact their 
interpreation has been known to be stricter than the FSF eg. deciding 
the GFDL is non-free) I can't exempt sserver properly since it links 
dynamically with the wider cvsnt binary.

It's my intention to go to LGPL for all the libraries/protocols 
eventually, but have held off on the protocols as there's been a bit of 
input from other people and I want to be sure I'm not changing someone 
elses licensed code (even if a couple of lines)... this is mostly done 
but I need to review it again.   Of course the main CVSNT binary will 
probably always be GPL due to its history.

The only option I can see, short of dropping sserver from the debian 
package, is making sserver LGPL, then putting it as a separate package 
(possibly in non-free).   Whether debian legal see this as enough though 
is a matter for them... there's that whole dynamic linking ickyness.

You could try porting sserver to gnutls, but I've not got the time to do 
that just for one distribution.

Tony

More information about the cvsnt-dev mailing list