On Thu, Mar 18, 2010 at 11:01 AM, Lucas Nussbaum
<lucas / lucas-nussbaum.net> wrote:
> On 18/03/10 at 23:31 +0900, Austin Ziegler wrote:
>> On Thu, Mar 18, 2010 at 10:21 AM, Lucas Nussbaum
>> <lucas / lucas-nussbaum.net> wrote:
>> > OpenSSL doesn't have a lot of fans, because of its licence that preven=
ts
>> > it from being linked to GPL software. Yes, it could be possible to shi=
p
>> > openssl.so and readline.so in the same package, but then it would be
>> > harder to argue that Debian does enough to protect the linking of
>> > readline (GPLv2) with openssl. The situation would be much simpler if
>> > Ruby switched to GNU TLS, for example.
>>
>> Your first sentence is incorrect; OpenSSL is both better known and
>> more widely used in the real world than GNU TLS is likely to ever be.
>> GNU TLS is preferred by people who have subscribed to the GNU
>> philosophy, which doesn't include everyone in the Ruby world, and
>> those of us who prefer OpenSSL see GNU TLS as a zany outlier created
>> by people who have nothing better to do with their time than to worry
>> about the attribution clause (I believe that's the part that makes GNU
>> software incompatible with OpenSSL licensing, since GNU believes that
>> attribution isn't necessary).
>>
>> That said, if someone were to make an SSL/TLS layer for Ruby that
>> could reasonably replace the OpenSSL namespace and that both "require
>> 'openssl'" and "require 'gnutls'" would satisfy, then I think we'd see
>> traction. Since this is apparently a problem for people who prefer GNU
>> TLS, I suggest that it is in their interest to do so.
>
> Note that your lawyer might disagree with you, whether he is a GNU
> fanboy or not, because it is widely agreed that the OpenSSL license is
> incompatible with the GPL.
>
> I agree that this sucks, but hey, that's life.

I see it the other way around; because the GNU GPL does not permit
attribution requirements, it is the GNU GPL which is incompatible with
the (older) BSD-style license. I agree that it'd be nicer if OpenSSL
and SSLeay were under the 3-clause BSD, but I understand exactly why
they do it.

To me, the 4+-clause BSD is far more acceptable than any GNU GPL
license, even the GNU  LGPL, even v2 (which I think is an infinitely
superior license to v3, but that's just my opinion).

Lawyers will agree that there's a distribution incompatibility since
the GNU GPL doesn't permit attribution requirements and OpenSSL
requires it under two different licences. That is the key point, but
the FSF has already pointed a way out of this: write to a common API
that can be used transparently and allow end users (who are not
subject to redistribution requirements in any case) to swap out their
preferred implementation.

This is exactly what the FSF says should be done to deal with their
(likely incorrect) understanding of shared object linking especially
with respect to libreadline.

Since Ruby programmers and the Ruby language have no problem as such
with OpenSSL, I would suggest that it is up to GNU TLS supporters to
write that transparent layer and convince Rubyists to use it. GNU TLS
has a fraction of the users over OpenSSL.

-austin
--=20
Austin Ziegler =95 halostatue / gmail.com =95 austin / halostatue.ca
http://www.halostatue.ca/ =95 http://twitter.com/halostatue