[hipl-dev] Re: HIPL conforming to OpenSSL licensing terms?
- From: Stefan Götz <stefan.goetz@xxxxxxxxxxxxxxxxx>
- To: hipl-dev@xxxxxxxxxxxxx
- Date: Sat, 06 Nov 2010 15:48:44 +0100
Hi!
I had another, admittedly still casual, look into the licensing situation
surrounding openssl.
In brief (and in my layman's opinion), HIPL in its current form is in breach of
both OpenSSL's licensing terms and the terms of the GPL.
The easy part is to comply with OpenSSL's terms (I outlined the necessary steps
below). The tough part is the incompatibility between the GPL and the OpenSSL
license, as discussed by
http://people.gnome.org/~markmc/openssl-and-the-gpl.html
While adding an exception clause to the GPL is a standard approach to circumvent
this incompatibility, this is not possible in the case of HIPL because the
GPL'ed code in question is not under HIPL copyright.
If this assessment is correct, I see only two options to solve this issue and
come to a legally distributable HIPL:
a) Get rid of OpenSSL and use some other alternative (I have not checked the
details) to come into compliance with the GPL (and not having to further bother
with such a PITA license as OpenSSL's)
or
b) Get rid of the GPL-covered code *and* come into compliance with the OpenSSL
license:
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
No changes required.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
Add these licensing terms to COPYING (with a note that they apply to the
linked/compiled in OpenSSL code) and doc/HOWTO.xml so they appear in the binary
packages. A separation of hipd, hipfw, and doc packages might be an issue in
this regard.
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
The definition of 'advertising material' is difficult. Just to be on the safe
side, I would count the HIPL website as such.
However, I am not sure whether the website or any potential 'advertising
material' of HIPL actually mentions 'features or use of this software' if 'this
software' is interpreted as OpenSSL. They probably don't, so maybe no changes
are required on this front. Then again, INSTALL mentions OpenSSL but can hardly
be considered advertising material.
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@xxxxxxxxxxxx
No changes required.
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
No changes required.
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
After COPYING or doc/HOWTO.xml is updated as above, the source-form and the
packaged binary-form distributions automatically conform to this requirement.
I'm not sure whether this clause also needs to be present in the hipd and hipfw
binaries themselves (note that the license does not require them to be
user-visible, so as long as that string is compiled into the binary, it should
conform).
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@xxxxxxxxxxxxx). This product includes software written by Tim
* Hudson (tjh@xxxxxxxxxxxxx).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@xxxxxxxxxxxxx)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@xxxxxxxxxxxxx).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@xxxxxxxxxxxxx).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
Update doc/HOWTO.xml to make this attribution (assuming that simply reproducing
this statement verbatim alone is not sufficient to attribute Mr. Young's
authorship).
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
No changes required.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
See above.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@xxxxxxxxxxxxx)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
See above.
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@xxxxxxxxxxxxx)"
I assume that this does not apply in the case of HIPL but I have not checked.
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
No changes required.
I also checked the licensing terms of the following software packages used by
HIPL, as taken from INSTALL:
GPL: automake autoconf libtool gcc iptables-dev libcap-dev libnet-ip-perl
libnet-dns-perl libsocket6-perl libio-socket-inet6-perl miredo bzr xmlto doxygen
check fakeroot dpkg-dev
4-clause BSD: pax
I don't see any issues with those.
Cheers,
Stefan
Other related posts:
