Copyleft/guide Changeset - 6230249f2f8a

Changeset - 6230249f2f8a

Parent rev.

Child rev.

[Not reviewed]

2020-pull-requests/11

0 1 0

bill-auger - 7 years ago 2016-11-05 21:59:24
mr.j.spam.me@gmail.com

make language more consistent and RFC's more concise

* added historical fact regarding BSD license change
* added RFC regarding FSF reserving authority to define "System Library"
* added RFC regarding a "System Library" whitelist
* made previous RFC-2, RFC-3, RFC-4 more concise (now RFC-4, RFC-5, RFC-6)
* split concerns from previous RFC-5 into RFC-7 and RFC-8
* corrected some typos

1 file changed with 31 insertions and 9 deletions:

bsd4clause-openssl.tex

0 comments (0 inline, 0 general)

bsd4clause-openssl.tex

➞

Show inline comments

@@ ... / @@ -6,7 +6,7 @@ @@
 \subsection{Motivation}
-The GPLv2 and GPLv3 both include a requirement that of the form: "You may not impose any further restrictions ..." (GPLv2 Section 6 - GPLv3 Section 10, which the FSF (author and publisher of the GPL family of licenses) contends is in conflict, generally, with all licenses of the original "4-clause BSD" form (such as the OpenSSL license) due to it's "obnoxious" advertising clause. \footnotemark[1] \footnotemark[2] \footnotemark[3] \footnotemark[4]  Not surprisingly, it seems to be the general consensus among free software developers that any program or library that itself links to the OpenSSL library is incompatible with the GPLs; but there is some controversy as to whether or not the OpenSSL library is protected by the GPL "System Library Exception" (GPLv2 Section 3 - GPLv3 Section 1) and whether or not the LGPL can be used as a remedy. \footnotemark[5]  Other notions have also been expressed from general apathy as "... In reality, GPL/OpenSSL linking is tolerated because few upstream GPL project developers care about the issue ...". \footnotemark[6] to frustration "... this [is] totally non-productive nonsense. Seriously, how many people actually care whether some GPL code links with OpenSSL?  My guess is two: RMS and EM. ...". \footnotemark[7]  Well, if you are reading this (and of course, you are), that makes at least three people.
+The GPLv2 and GPLv3 both include a requirement of the form: "You may not impose any further restrictions ..." (GPLv2 Section 6 - GPLv3 Section 10), which the FSF (author and publisher of the GPL family of licenses) contends is in conflict, generally, with all licenses of the original "4-clause BSD" form (such as that of the widely-used OpenSSL license) due to it's "obnoxious" advertising clause. \footnotemark[1] \footnotemark[2] \footnotemark[3] \footnotemark[4]  Not surprisingly, it seems to be the general consensus among free software developers that any program or library which itself links to the OpenSSL library is incompatible with the GPLs; but there is some controversy as to whether or not the OpenSSL library is exempted by the GPL "System Library Exception" (GPLv2 Section 3 - GPLv3 Section 1) and whether or not the LGPL can be used as a remedy. \footnotemark[5]  Notions have been expressed from general apathy as "... In reality, GPL/OpenSSL linking is tolerated because few upstream GPL project developers care about the issue ...". \footnotemark[6] to frustration "... this [is] totally non-productive nonsense. Seriously, how many people actually care whether some GPL code links with OpenSSL?  My guess is two: RMS and EM. ...". \footnotemark[7]  Well, if you are reading this (and of course, you are), that makes at least three people.
 These differences in opinion are manifest most plainly in the package repositories of various GNU/Linux distributions; with distros representing both sides of the debate.  As such, there are possibly hundreds of packages in the repos of major distros currently installing programs with GPL-family licenses that link to OpenSSL (or other libraries with similar licensing terms).  Some distros have chosen to offer custom versions of these libraries that either replace OpenSSL with a compatible library (such as GnuTLS or Mozilla NSS) or strip out the functionality that requires such libraries.  Some have chosen not to carry these libraries at all.
@@ ... @@
 \begin{itemize}
   \item This issue has haunted the free software community for a very long time.
   \item BSD removed this clause from it's license in 1999; but licenses retaining an analagous clause are still prevalent today, notably OpenSSL License of the OpenSSL library.
   \item The GNU license compatibility list categorizes both the Original BSD (4-clause) License and the OpenSSL License as "GPL-Incompatible Free Software Licenses". \footnotemark[9] \footnotemark[10]
   \item The LGPLv3 does not itself contain the same wording such as that in the which constitutes the conflict; but it does clearly state that it's terms are supplemental extensions to the GPLv3. \footnotemark[11]
   \item FedoraProject considers OpenSSL to be a "System Library" and so exempt from conflict per the "System Library Exception". \footnotemark[12]  Fedora distributes the libircclient binary package with OpenSSL linkage enabled as do third-party RPM repos. \footnotemark[13] \footnotemark[14]
-  \item Debian has taken the opposite stance that OpenSSL is non-essential and therefore not protected by the GPL "System Library Exception"; and has generally recommended that upstreams of GPL'ed programs add an exception for OpenSSL to their licenses. \footnotemark[15]  As an example of an LGPL'ed library, Debian distributes the libircclient binary package with OpenSSL linkage disabled. \footnotemark[16]  Debian even goes so far as to track and post on its website all such potential license collisions detected by it's automated Lintian package sanity checker and the final acceptance decisions. \footnotemark[17]
+  \item Debian has taken the opposite stance that OpenSSL is non-essential and therefore not exempted by the GPL "System Library Exception"; and has generally recommended that upstreams of GPL'ed programs add an exception for OpenSSL to their licenses. \footnotemark[15]  As an example of an LGPL'ed library, Debian distributes the libircclient binary package with OpenSSL linkage disabled. \footnotemark[16]  Debian even goes so far as to track and post on its website all such potential license collisions detected by it's automated Lintian package sanity checker and the final acceptance decisions. \footnotemark[17]
   \item Several other distros distribute libircclient binaries but no clear statements on this matter have yet to be found from these. The libircclient packages in ArchLinux (also AUR), Gentoo, and OpenSuse have OpenSSL linkage enabled; so presumably they are either unaware of the issue or are in the Fedora camp. \footnotemark[18] \footnotemark[19] \footnotemark[20] \footnotemark[21]  The libircclient package in Ubuntu does not have OpenSSL linkage enabled so they are presumably following Debian's lead. \footnotemark[22]
@@ ... @@
 \subsection{Interpretation and Caveats}
 The following are among the most pragmatic points to be underlined as it concerns project maintainers and packagers:
+The following are among the most opaque but pragmatic points to be underlined as it concerns project maintainers and packagers:
 \begin{itemize}
   \item{\bf{[RFC-1]\newline
-Does the FSF concur with the FedoraProject that OpenSSL is a "System Library" exempted per the GPL "System Library Exception"; or does the FSF concur with Debian that OpenSSL is non-essential and not protected by the GPL "System Library Exception"?  They are, above all, the authority on the matter, aren't they?}
+Does the FSF concur with the FedoraProject that OpenSSL is a "System Library" exempted per the GPL "System Library Exception"; or does the FSF concur with Debian that OpenSSL is non-essential and not exempted by the GPL "System Library Exception"?  They are, above all, the authority on the matter, aren't they?}
     \begin{quote}
 If Shane Coughlan's account or Brett Smith's statement is accurate, then the FSF does not consider OpenSSL to be an essential "System Library" and so does not qualify for the GPL "System Library Exception" (at least not on a Debian system).  No such statements have been found regarding other distros however.
     \end{quote}}
   \item{\bf{[RFC-2]\newline
-Does this conflict also apply to an LGPLv3 licensed library that itself links to OpenSSL (or any other GPL-incompatible library)?  In other words, can an LGPLv3 licensed library (with or without an explicit exception) link itself to any other library regardless of the license of that helper library?  All of the language in the LGPLv3 speaks in terms of a proprietary main program's ability to link themselves to LGPL'ed libraries but says nothing of linkage in the other direction (e.g. writing an LGPL'ed library that itself requires a proprietary or otherwise incompatibly licensed helper binary).  This is a point of confusion for many people.}
+Would the FSF prefer to be the authority on what qualifies as a "System Library" exempted per the GPL "System Library Exception"; or would the FSF prefer to delegate this to each distro, providing that they do so formally as a matter of published policy?}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-3]\newline
-If it is indeed un-acceptable for an LGPL'ed library to itself require proprietary or otherwise incompatibly licensed helper binaries, then can it be made compliant by disabling that feature as the default behavior and requiring the user to enable it with a compile-time switch?  In other words, does the licensing conflict exist simply because the code is capable of producing a binary that may (at the user's option) link to an incompatible library; or does the conflict not arise until compile-time or runtime, such that anyone can distribute the source code and the end user is free to compile as long as they do not distribute the resulting binary?  Only one instance of someone raising this specific concern of a compile-time switch has been found; but the concern was not addressed.} \footnotemark[30]
+How feasilbe would it be for the FSF to maintain a white-list of "Essential Core System Libraries" in order to remove any doubt.  After all, leaving any such caveat as subject to interpretation is practically the same as omission - is it not?}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-4]\newline
 Conversely, if it is acceptable for an LGPL library to itself require proprietary or otherwise incompatibly licensed helper binaries, then does the GPL-incompatible sub-dependency taint the license of any main GPL'ed client program, such that the client must itself re-license as LGPL or more permissively in order to use the library?  This case is presumably fallacious but some people do believe this is a valid option, so it is probably worth contrasting this to the preceding concern} % (RFC_3).}}
 Can a GPLv2 or GPLv3 main program (with or without an explicit linking exception) link itself to a library licensed under the corresponding LGPL version that, in turn, links itself to OpenSSL, or any other library, regardless of the license of latter sub-dependency?  If not, may the LGPLv2 or LGPLv3 library provide a "Linking Exception" to explicitly permit this.  All of the language in the LGPLv3 speaks in terms of a GPL-incompatible main program's ability to link itself to LGPL'ed libraries; but says nothing of linkage in the other direction (e.g. an LGPL'ed library that itself requires a proprietary or otherwise incompatibly licensed helper).  This is a point of confusion for many people.}
+}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-5]\newline
-What does this imply for any GPLv3 program that links itself to such a questionable library?  Could one add an exception to the license of the main program allowing it's dependency to link to OpenSSL as a sub-dependency (even if the dependency does not provide such an exception)?  What if the dependency already provides such an exception?  Instead of an exception, could one state a disclaimer such as: "If you run this program on a distro that links this program's dependencies to OpenSSL, you must compile those dependencies yourself with OpenSSL disabled"?  Could one further add, "... unless your distro has issued a formal statement indicating that they consider OpenSSL to be a 'System Library' protected by the GPL 'System Library Exception'."?}
+If the answer to RFC-4 is negatory, that is, it is in no way possible for an LGPL'ed library to, itself, require a proprietary or otherwise incompatibly licensed helper legitimately, then can it be made compliant by disabling that feature as the default behavior and requiring the user to enable it with a compile-time switch?  In other words, does the licensing conflict exist simply because the code is capable of producing a binary that may, at the user's option, link to an incompatibly licensed library; or does the conflict not arise until compile-time or runtime, such that anyone can distribute the source code and the end user is free to compile with the switch enabled as long as they do not distribute the resulting binary?  Only one instance of someone raising this specific concern of a compile-time switch has been found; but the concern was not addressed.} \footnotemark[30]
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-6]\newline
 Conversely, if the answer to RFC-4 is affirmative, that is, it is indeed possible for an LGPL'ed library to itself require a proprietary or otherwise incompatibly licensed helper library as a sub-dependency, then does this taint the license of any main GPL'ed client program, such that it must, itself, re-license to the same LGPL version as the intermediate library (or more permissively) in order to use it (and the incompatibly licensed sub-dependency by proxy)?  This case is presumably fallacious but some people do believe this is a valid option, so it is probably noteworthy of contrasting this to the preceding concern (RFC-5). \footnotemark[5]  Otherwise, if this is permissible, then one can easily imagine a plethora of LGPL'ed libraries which are nothing more than thin wrappers around GPL-incompatible libraries.  Indeed, one can imagine a project devoted to consolidating such wrappers and/or a website devoted to indexing them.  It would be quite ironic to see such a wrapper indexed on the FSF Free Software Directory.}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-7]\newline
 If the answer to RFC-4 is affirmative, then what does this imply for any GPLv3 program that links itself to such a library?  Could one add a "Linking Exception" to the license of the main program allowing it's dependency to link to OpenSSL as a sub-dependency (even if the dependency does not provide such an exception)?  If the dependency already provides such an exception, then must the main program also provide the same exception?}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-8]\newline
 Instead of a "Linking Exception", could one state a disclaimer such as: "You may not run this program on any distro that links this program's dependencies to OpenSSL unless you compile those dependencies yourself with OpenSSL disabled and link this program to those instead."?  Could one further add something like: "... unless your distro has a public policy declaring OpenSSL to be an essential "System Library" on their distro and so exempted by the GPL "System Library Exception"."?}
     \begin{quote}
+?
     \end{quote}}
   \item{\bf{[RFC-9]\newline
 An important caveat regarding the definition of “Corresponding Source” in GPLv3 Section 1 is that it requires that the source can be compiled as to "... run the object code ..." but makes no accommodations nor constraints on any particular operating environment in which it must be able to run.  Presumably, it is not the intention that all GPL-licensed software must be executable on all architectures and operating systems.  So, it would follow that project maintainers are free to support only certain operating environments; and it can be easily argued based on dependency trees alone that Fedora and Debian (for example) are different operating environments; and so project maintainers should be free to support only certain distros and not necessarily all distros.  Otherwise, if the distribution requirements in GPLv3 Section 6d and the “Corresponding Source” definition are interpreted too stringently, the overall requirement would be that all GPL-licensed software projects must themselves distribute cross-platform source code for all dependencies (and sub-dependencies) in the dependency chain all the way down to the vaguely defined "System Libraries" allowing "The Program" to compile on any all operating systems and distros past, present, and future.  That is presumably not the intention and would likely lead to everyone distributing nothing but docker images.  If project maintainers are indeed free to selectively support only certain environments, then the GPL "System Library Exception" along with GPLv3 Sections 6d and 6e would seem to allow some isolation from this sort of licensing conflict as long the following conditions are met:
     \begin{itemize}
       \item{The Program must be licensed with a version of the GPL that allows third parties to distribute sources for dependencies of The Program (this is currently only the GPLv3)}
@@ ... @@
       \item{The project maintainer insists that end users of distros hosting The Program's dependencies in a form that conflicts with the it's license and end users of distros that do not host The Program's dependencies are not to expect a usable result (any more of than a Windows user could expect while compiling systemd in VisualStudio.  If such users can not obtain the source code for the dependencies somehow and compile themselves in a way that does not conflict with the license of The Program; they are still free to install a supported distro or run one in a VM to use The Program legitimately.  How could it be argued that such users are being deprived of their freedom in this way?}
       \item{If the day ever arrives that no distro that is designated as supported by The Program any longer hosts compatible versions of the tainted dependencies then The Program's maintainer would be obliged only to cease to "... distribute the object code ..." per GPLv3 Section 6d}
-In this way the responsibility of resolving dependency and licensing compatibility conflicts is delegated to distro packagers and package management software which exist precisely for that purpose.  Note, that this is all assuming that the binary dependency with the previously mentioned conflict-enabling compile-time switch is not itself inherently illegitimate (per the previous RFC-3); but is GPLv3-compatible if the switch is not activated.  Also, this proposal depends on a loose but reasonable interpretation of “Corresponding Source” which is defined somewhat inconsistently to include "... the source code for shared libraries and dynamically linked subprograms ..." but to exclude "... generally available free programs which are used unmodified ...".  It can be easily argued that shared binary libraries are both "generally available" and "used unmodified".
+In this way the responsibility of resolving dependency and licensing compatibility conflicts is delegated to distro packagers and package management software which exist precisely for that purpose.  Note, that this is all assuming that the binary dependency with the previously mentioned conflict-enabling compile-time switch is not itself inherently illegitimate (per RFC-5); but is GPLv3-compatible if the switch is not activated.  Also, this proposal depends on a loose but reasonable interpretation of “Corresponding Source” which is defined somewhat inconsistently to include "... the source code for shared libraries and dynamically linked subprograms ..." but to exclude "... generally available free programs which are used unmodified ...".  It can be easily argued that shared binary libraries are both "generally available" and "used unmodified".
     \end{itemize}}
     \begin{quote}
+?

0 comments (0 inline, 0 general)