From: Daniel J. <dan...@gm...> - 2015-06-20 23:18:43
|
> On Jun 20, 2015, at 7:03 PM, Daniel Johnson <dan...@gm...> wrote: > > >> On Jun 20, 2015, at 6:49 PM, Alexander Hansen <ale...@gm...> wrote: >> >> >>> On Jun 20, 2015, at 15:03, Daniel Johnson <dan...@gm...> wrote: >>> >>> >>>> On Jun 20, 2015, at 4:58 PM, Alexander Hansen <ale...@gm...> wrote: >>>> >>>> Since the system’s OpenSSL is going away for 10.11 we’ve got a bit of a pickle. >>>> >>>> My understanding is that our packages that use openssl100-dev and have binaries are now technically in violation of the openssl license, which only allows redistribution against an OpenSSL which is shipped with the OS. >>>> >>>> 1) Is this still true? If so, then we need to start tagging them as Restrictive. >>>> 2) Does LibreSSL have the same restriction? If not, can we convert over to use that? >>>> >>>> -- >>>> Alexander Hansen, Ph.D. >>>> Fink User Liaison >>>> >>> >>> 1) IANAL, so I can’t answer this, but the issue isn’t that OpenSSL’s license forbids distribution. The problem is that because of OpenSSL’s “original” BSD license with the advertising clause, it is incompatible with the GPL. The GPL *does* allow linking to libraries that come with an OS, so that’s where the workaround used to be. >>> >>> 2) LibreSSL (and BoringSSL but we don’t have that package) is a fork of OpenSSL and therefore must use the same license. I believe they have been trying to get things relicensed but that’s an almost impossible job since there’s some really old code in there. >>> >>> Daniel >>> >> >> 1+2) Ah. gotcha. As a simple base example then, is our cvs package, which uses openssl100, in violation? And if so, do we have to mark it as Restrictive? Or worse yet, pull it and stop supporting selfupdate-cvs on distributions where Xcode doesn’t have cvs ? >> >> -- >> Alexander Hansen, Ph.D. >> Fink User Liaison >> > > This is a good run-down: https://people.gnome.org/~markmc/openssl-and-the-gpl.html > > Some packages have an explicit “OpenSSL is Ok” clause added to the GPL. cvs does not, but looking at the code, it looks like libcrypto is only used as a requirement for Kerberos and Apple’s Kerberos doesn’t need that. I’ll have to look at it closer. It may be possible to drop the dep. > > Daniel > Ok, cvs doesn’t link to or even check for openssl. The dep is probably a relic of an old Kerberos.framework that published -lcrypto in its config program. I’ve removed the dep and reved up. Daniel |