#21 docsis build depends on lin

[Lisandro D. N. Pérez Meyer]

Docsis currently depends on libsnmp, which in turn links against openssl. As docsis is GPL, it has incompatibilities with openssl except an exception is made in the licensing. Thus, to solve this issue, we should consider relicensing docsis to gpl+openssl exception.

[Lisandro D. N. Pérez Meyer]

By the way, this change is needed to keep docsis in Debian :-/

[Eduardo Ferro Aldama]

Hi!

Some time ago, I ask the original author, Cornel Ciocirlan, for change the license to the gpl with the openssl exception, and he answer ok to the change, but he forgot to change the license... and after that it was impossible to me to contact with him to confirm the license change...

So I only have a "verbal" approval :(

By the way, docsis don't use ssl encription, but use libsnmp that is linked with openssl for implement snmp v3 protocol... that docsis don't use...

[Richard Laager]

Why does libsnmp link to OpenSSL? Are there applications in Debian which depend on that behavior? If not, obviously eliminating that linkage entirely is the simplest answer. Assuming there are users of it, would it be possible to have the libsnmp source package be compiled a second time without that linkage to create a libsnmp-nossl binary package which docsis could use.

If so, isn't this academic? If docsis could be compiled against a libsnmp that doesn't use OpenSSL and work perfectly fine, then how do we have a problem?

Alternatively, could libsnmp link against GnuTLS? I think it has some level of OpenSSL source-compatbility (e.g. a porting layer).

[Lisandro D. N. Pérez Meyer]

The last version of libsnmp has added a direct link to -lcrypto, triggering the error in lintian (the app that does static analysis of Debian packages).

But libsnmp had already depended on libssl :-/

Yes, there are applications that depend on this behaviour. No, I really doubt we will see a libsnmp without OpenSSL or linked against GNUTLS :-(

[Richard Laager]

Is docsis one of those applications? I can't think of how it would be, but I'm not an expert, I'm really just slightly maintaining a more-or-less abandoned package. If not, what about providing a second binary of libsnmp that does not have the SSL functionality?

[Lisandro D. N. Pérez Meyer]

Is docsis one of those applications?

yes, it links to libsnmp which in turn links to libopenssl

what about providing a second binary of libsnmp that does not
have the SSL functionality?

It will not happen :(

[Richard Laager]

Yes, but what CRYPTOGRAPHY does docsis use via libsnmp?

[Lisandro D. N. Pérez Meyer]

Yes, but what CRYPTOGRAPHY does docsis use via libsnmp?

IANAL, but as far as I understand, it doesn't needs to use it, just link. The problem here is that there is a library in the middle which is using libopenssl. According to some people this situation will require an OpenSSL exception, according to some others, not.

I have just sent a mail to debian-legal (will post link as soon as I have it) to ask them for their advice on the situation.

I'm sure this is not the only software which got involved in this change, so we will need to see what happens.

[Lisandro D. N. Pérez Meyer]

Link to my post to debian-legal: http://lists.debian.org/debian-legal/2013/06/msg00001.html

[Richard Laager]

If someone has evidence of copyright holder(s) giving OpenSSL exceptions, I'd be willing to look at the change history and see how close we'd be to being able to relicense.

Otherwise, I don't really see an issue here. docsis doesn't use OpenSSL directly or indirectly.