Menu
▾
▴
openvpn-devel
|
From: Alberto G. I. <ag...@ag...> - 2003-04-28 14:40:49
|
Hi all, Sorry for the huge forward, but everything needed to understand this problem should be there :) GPL software does not mix well with OpenSSL, and that's giving me some headaches lately. As you me see in my mail to Markus (liblzo author) and James (we all know who he is :) linking liblzo with OpenSSL may be a GPL violation [1]. So this is a call for comments on this issue. Can anybody reach Markus and comment him about this? Should we switch to another compression library? In that case, which one would be suitable? zlib? Should we ignore this and let RMS jump on us? [2] Hoping to get lots of feedback, Alberto [1] http://www.openssl.org/support/faq.html#LEGAL2 [2] Yes, it's a joke ----- Forwarded message from James Yonan <ji...@yo...> ----- From: James Yonan <ji...@yo...> To: Alberto Gonzalez Iniesta <ag...@ag...> Subject: Re: comp-lzo and licensing issues Date: Sat, 26 Apr 2003 16:57:26 -0000 X-SpamProbe: GOOD 0.0000000 6c2c0cd892c1100831080d47b6f1d8e2 Hi Alberto, How are you doing? I haven't heard from you for a while! Interesting problem. Well I hope that Markus will agree to the linkage. It seems that this must be a common problem, if GPL cannot co-exist with licenses which are still open source but non-GPL. It also seems that the whole notion of "linkage" is a thorny issue and would need to be rigorously defined. For example, does gpl-program | non-gpl-program > conundrum.log constitute linkage? What if the linkage is between components in user space and kernel space that have different licenses, but otherwise comingle in the same address space? Is linkage via shared libraries or static linkage different from interprocess communication linkages or network communication linkages? As you mention, zlib is certainly another option, though I don't know how it scores in the realtime category. It would also need to be able to compress/decompress small blocks (i.e. MTU sized) without reference to other blocks or cross-block state-info. I would agree that you should post something to openvpn-devel about this. Best Regards, James Alberto Gonzalez Iniesta <ag...@ag...> said: > > --/WwmFnJnmDyWGHa4 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > Hi James, > > First of all, sorry for the delay in contacting you about this. :( > I'm mailing you off the list because this is can be picky subject. You > may take this subject to the list whenever you feel like. > > As you can see in http://bugs.debian.org/177497 , I had to disable > liblzo support in Debian's packages due to a (possible) GPL violation. > > Remember the exception you did to OpenVPN's license so it could be built > against OpenSSL? Well, the same thing should be done with liblzo. I > mailed liblzo's author on Jan 26, but I got no answer from him. (See > attachment) > > So, what happens now? From my point of view, we have two choices: > a) Try (again) to convince LZO's author to make the exception in his > source. Until that happens I won't be able to package OpenVPN with LZO > support (and lots of people require it. See bugs.d.o/182549 and 187117) > > b) My No 1 wishlist request for OpenVPN: a new compression library. > For example: zlib, which uses a BSD like license and it's used in > OpenSSH. > > Please, let me know what you think of all this. And, of course, feel > free to take this discussion to the -devel list. > > Thanks, > > Alberto > > --=20 > Alberto Gonzalez Iniesta | They that give up essential liberty > agi@(agi.as|debian.org) | to obtain a little temporary safety > Encrypted mail preferred | deserve neither liberty nor safety. > > Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 > > --/WwmFnJnmDyWGHa4 > Content-Type: message/rfc822 > Content-Disposition: inline > > Date: Sun, 26 Jan 2003 10:51:01 +0100 > From: Alberto Gonzalez Iniesta <ag...@ag...> > To: Markus Franz Xaver Johannes Oberhumer <mar...@jk...> > Subject: Compiling and/or linking liblzo with OpenSSL > Message-ID: <200...@va...> > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > User-Agent: Mutt/1.5.3i > > Hi Markus, > > I'm the Debian Maintainer of OpenVPN (http://openvpn.sourceforge.net). > OpenVPN is, as you may guess, a VPN software with liblzo support for > improved performance. It's GPL'ed just like liblzo, but uses OpenSSL. > > It seems that GPL and OpenSSL don't mix well: > http://www.openssl.org/support/faq.html#LEGAL2 > > Since we're *very* picky with licenses in Debian, I had to disable libzo > support in Debian's OpenVPN packages (http://bugs.debian.org/177497). > That's far from being the best solution to the 'problem', which is > adding a little exception to liblzo's license. OF COURSE IF, AND ONLY IF > you completely agree with your source compiling, linking, and/or using > OpenSSL in any case. > > The exception would be something like this (from OpenVPN's one): > > > In addition, as a special exception, **your name here ** gives > permission to link the code of this program with the OpenSSL > library (or with modified versions of OpenSSL that use the same > license as OpenSSL), and distribute linked combinations including > the two. You must obey the GNU General Public License in all > respects for all of the code used other than OpenSSL. If you modify > this file, you may extend this exception to your version of the > file, but you are not obligated to do so. If you do not wish to > do so, delete this exception statement from your version. > > > Thanks for your time. I'm looking forward to hearing from you soon and > hope to be able to use liblzo in OpenVPN from now on :) > > Alberto > -- ----- End forwarded message ----- -- Alberto Gonzalez Iniesta | They that give up essential liberty agi@(agi.as|debian.org) | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
|
From: Aaron S. <and...@ra...> - 2003-04-28 15:06:46
|
On Mon, 28 Apr 2003, Alberto Gonzalez Iniesta wrote: > Hi all, > > Sorry for the huge forward, but everything needed to understand this > problem should be there :) > > GPL software does not mix well with OpenSSL, and that's giving me some > headaches lately. As you me see in my mail to Markus (liblzo author) and > James (we all know who he is :) linking liblzo with OpenSSL may be a GPL > violation [1]. > > So this is a call for comments on this issue. > Can anybody reach Markus and comment him about this? > Should we switch to another compression library? In that case, which one > would be suitable? zlib? > Should we ignore this and let RMS jump on us? [2] Well zlib could be suitable, considering that OpenVPN does implement some reliable UDP stuff for SSL/TLS type streams to work correctly. Of course it might be a performance hit. On the other hand, if you are linking it yourself and not redistributing the binaries you are probably okay. This means though that prebuilt binaries linked to liblzo could be a no-no. Of course the slope gets slippery if OpenSSL is shipped with the OS by default and is considered a 'system library'. In such case it might not necessarly be a violation, otherwise linking GPL software on a system like Solaris and distribution the resulting binaries would be forbidden as well. Of course another option here is to consider getting OpenVPN to play nice with gnutls, though I am not familiary with the maturity of that piece of software. Regards, Aaron |
|
From: bishop <bi...@pl...> - 2003-04-28 18:09:49
|
>> Of course another option here is to consider getting OpenVPN to play nice >> with gnutls, though I am not familiary with the maturity of that piece of >> software. Does anyone else here consider this to be entirely the wrong way to go? First off, the problem appears to be one that's present in all cases where GPL-licensed software is linked with non-GPL-licensed software (I'm lazy, and assuming OpenSSL is `BSD). The OpenSSL people are only stating a commonly-overlooked problem that will eventually bite every single one of us. So, what do we do? We write an exeption in a GPL-licensed project's software license? That only seems shady on the surface, like one's trying to exempt oneself from someone else's licensing - -I'd like to do that with MS. In fact, the only problem is that, soon, maintainers of GPL-licensed projects will need to maintain an entire list of exemptions, and it may eventually be larger than the GPL boilerplate - no mean feat, but as time_t->oo ... I think that this is another example of how the GPL1 license is really not intended for a world that is not either entirely GPL or entirely non-GPL. It's perhaps meant to eventually edge-out the non-GPL licenses, something we'd normally consider a bit more difficult if it weren't the much-loved GNU doing it. The motives are similar to any other empire-builder (Oh yes, and please let us remora the name of your operating system). I would suggest, for our sanity and not for the sake of any freedom we require to link with whatever projects we choose, that we do NOT consider adding any more GPL-covered projects to this one. In case we run into any more snags, the remaining GPL bits can be pulled more easily. Is this an issue that should be Asked of Slashdot? - bish DISCLAIMERS: This message is only half-formed, having been the product of a mere hour of thought and discussion on the issue with co-workers, none of whom were lawyers. It is neither logically complete nor sound. I am biased. Normally I'm an annoying, opinionated, proselytizing grouchy recluse, emerging from my cave only to yell "Dooooom" in a James Earl Jones voice. I work for a company that works with linux and tries to make a profit; that's two distinct halves of a company that do not often mix due to legal reasons. Ironically, many free vendors trying to make money on 'free' software employ full-time legal teams whose sole job is to prevent the company running afoul of the GPL and other licenses; I'm not a member of that part of my company, thankfully (IANAL). Aaron Sethman wrote: > On Mon, 28 Apr 2003, Alberto Gonzalez Iniesta wrote: > > >>Hi all, >> >>Sorry for the huge forward, but everything needed to understand this >>problem should be there :) >> >>GPL software does not mix well with OpenSSL, and that's giving me some >>headaches lately. As you me see in my mail to Markus (liblzo author) and >>James (we all know who he is :) linking liblzo with OpenSSL may be a GPL >>violation [1]. >> >>So this is a call for comments on this issue. >>Can anybody reach Markus and comment him about this? >>Should we switch to another compression library? In that case, which one >>would be suitable? zlib? >>Should we ignore this and let RMS jump on us? [2] > > > Well zlib could be suitable, considering that OpenVPN does implement some > reliable UDP stuff for SSL/TLS type streams to work correctly. Of course > it might be a performance hit. On the other hand, if you are linking it > yourself and not redistributing the binaries you are probably okay. This > means though that prebuilt binaries linked to liblzo could be a no-no. > > Of course the slope gets slippery if OpenSSL is shipped with the OS by > default and is considered a 'system library'. In such case it might not > necessarly be a violation, otherwise linking GPL software on a system like > Solaris and distribution the resulting binaries would be forbidden as > well. > > Of course another option here is to consider getting OpenVPN to play nice > with gnutls, though I am not familiary with the maturity of that piece of > software. > > Regards, > > Aaron > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- "Every well-bred petty crook knows -- the small concealable weapons always go to the far left of the place setting." -- Inara (Morena Baccarin), "Firefly" (unaired - into production AFTER fox crushed it) |
|
From: Matthias A. <ma+...@dt...> - 2003-05-02 16:29:27
|
On Mon, 28 Apr 2003, Alberto Gonzalez Iniesta wrote: > Sorry for the huge forward, but everything needed to understand this > problem should be there :) FYI: My post of the FreeBSD-ports mailing list how I should handle this license issue LZO <-> OpenSSL hasn't turned up anything in some days; so no-one has an opinion there... I'll forbid packaging binaries when I update the port for OpenVPN 1.4.0, just to be sure. OpenSSL is in the base system of FreeBSD, so I don't consider this urgent, but it should be fixed eventually. |
|
From: Alberto G. I. <ag...@ag...> - 2003-05-03 09:32:36
|
On Fri, May 02, 2003 at 06:07:07PM +0200, Matthias Andree wrote: > On Mon, 28 Apr 2003, Alberto Gonzalez Iniesta wrote: > > > Sorry for the huge forward, but everything needed to understand this > > problem should be there :) > > FYI: > > My post of the FreeBSD-ports mailing list how I should handle this > license issue LZO <-> OpenSSL hasn't turned up anything in some days; so > no-one has an opinion there... > > I'll forbid packaging binaries when I update the port for OpenVPN 1.4.0, > just to be sure. OpenSSL is in the base system of FreeBSD, so I don't > consider this urgent, but it should be fixed eventually. If OpenSSL is in the base system of FreeBSD, then there shouldn't be any problem linking LZO with it. You could also allow OpenVPN binaries without LZO support (as I currently do in Debian). Anyway, Markus got in contact with me (I'll forward his message next to this one) and we have permission to use LZO with OpenSSL in OpenVPN :) So,... End Of Thread (for the time being?) -- Alberto Gonzalez Iniesta | They that give up essential liberty agi@(agi.as|debian.org) | to obtain a little temporary safety Encrypted mail preferred | deserve neither liberty nor safety. -- Benjamin Franklin Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
|
From: Matthias A. <ma+...@dt...> - 2003-05-03 23:50:51
|
> If OpenSSL is in the base system of FreeBSD, then there shouldn't be any > problem linking LZO with it. > You could also allow OpenVPN binaries without LZO support (as I > currently do in Debian). This will break compatibility and is no longer needed in the light of the special permission Markus has given us. Thanks for your requesting a permission from Markus! |
|
From: bishop <bi...@pl...> - 2003-05-04 00:05:52
|
Matthias Andree wrote: >>If OpenSSL is in the base system of FreeBSD, then there shouldn't be any >>problem linking LZO with it. >>You could also allow OpenVPN binaries without LZO support (as I >>currently do in Debian). > > This will break compatibility and is no longer needed in the light of > the special permission Markus has given us. This is actually a recurring problem with another, similar product. The official word when it comes up over there is: Use it if you want, because we can't stop you, but it's not recommended, definitely not supported, and problems aren't generally acceptable when logged against a derivative build with pieces missing. Hmm. I sense another Special Permission Request, though. - bish -- |
Thanks for helping keep SourceForge clean.
X