On Fri, Mar 19, 2010 at 5:16 AM, Brian Candler <b.candler / pobox.com> wrote:
> Austin Ziegler wrote:
>> Lawyers will agree that there's a distribution incompatibility since
>> the GNU GPL doesn't permit attribution requirements and OpenSSL
>> requires it under two different licences.
> If Debian are worried about infringement, then who do they think is
> going to sue them?

It's subtly more complex than that. While IANAL, I suspect that Debian
and the other distribution managers are fairly safe here since they
don't require that you have OpenSSL by default, and provide OpenSSL as a
dynamically loadable object when requested by the end user (implicitly
or explicitly).

As I said in an earlier message, the FSF takes a maximal view on the
applicability of the GNU GPL, extending to situations that are not
logically covered by the GNU GPL (e.g., run-time combination).

It is fairly clear that if I were to distribute an application that
requires both OpenSSL (with the attribution clauses) and libreadline
(under the GNU GPL), I would be violating the license of one of them or
another (probably the GNU GPL because it has the incompatibility with
attribution requirements).

If, on the other hand, OpenSSL and/or libreadline are optional
components that end users enable at run-time, the situation is likely
the opposite of what the FSF says (that is, no license violation; just
the violation of the spirit of the GNU GPL). By the way, this is one of
the things that annoys me about a lot of GPLed projects on Windows: they
present the GNU GPL as a EULA, when it's completely NOT a EULA.

I do not need to accept the GNU GPL to *use* a piece of software; just
to distribute it. It's arguable that the GNU GPL v3 and the Affero GPL
step into EULA territory by treating networked use as distribution, but
that is an untested area of the licences. More reason to avoid both
versions, IMO.

> (1) The OpenSSL copyright holders?
>
> http://www.openssl.org/support/faq.html#LEGAL2
>
> Clearly, they see it as an issue of the GPL holders needing to extend
> their licence, not OpenSSL intending to restrict what GPL authors do.

They're also right. OpenSSL's license is extremely permissive, even if
the attribution requirement is annoying.

> 'If you develop open source software that uses OpenSSL, you may find
> it useful to choose an other license than the GPL, or state explicitly
> that "This program is released under the GPL with the additional
> exemption that compiling, linking, and/or using OpenSSL is allowed."'
>
> Anyway, if the OpenSSL licence requires attribution, surely that
> applies only to OpenSSL itself? Do people think that it is viral in
> the way that the GPL is viral?

No; the problem is that the GNU GPL does not allow "subordinate"[1]
licences to have any restrictions above and beyond what the GNU GPL has,
"restricting" end-user rights further[2].

-austin
[1] The GNU GPL views all licences in a mixed license bundle as
    subordinate to itself, as it's an expansive, viral license[3]. That
    is to say that the language of the GNU GPL expects that it will be
    the final arbiter of what is permitted and what is not permitted for
    a composite work containing GNU GPL software.
[2] In many ways, I agree with this restriction, if not the
    implementation. It would be fairly trivial to put language in the
    GNU GPL enumerating additional optional exceptions for other 'open'
    licences (e.g., attribution clauses). I am not sure that the
    original 4-clause BSD license (with advertising attribution clauses)
    would pass the GNU GPL with that anyway, nor am I sure that it
    should pass.
[3] The GNU GPL is correctly viewed as a viral license in that it
    imposes requirements on software that includes software under the
    GNU GPL. This virality is a feature of the GNU GPL. It's a feature
    that I strongly dislike, but it is exactly the purpose for which the
    GNU GPL was written.
-- 
Austin Ziegler halostatue / gmail.com austin / halostatue.ca
http://www.halostatue.ca/ http://twitter.com/halostatue