| Summary: | Indirect linkeage against openssl and license issue | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | Maximiliano Curia <maxy> |
| Component: | sftp | Assignee: | Andreas Schneider <asn> |
| Status: | RESOLVED NOT A BUG | ||
| Severity: | normal | CC: | martin.sandsmark |
| Priority: | NOR | ||
| Version: | 4.13.2 | ||
| Target Milestone: | --- | ||
| Platform: | Debian unstable | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/750867 | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
|
Description
Maximiliano Curia
2014-07-12 14:34:26 UTC
libssh is LGPL! There is no license issue! Please stop spreading FUD! (In reply to Andreas Schneider from comment #1) > libssh is LGPL! LGPL has the same issues with the OpenSSL license as GPL has. I really don't want to have a licensing discussion, nor I'm a big fan of this kind of issues. I requested adding the exception because it's the simplest solution. I'm not sure how long would it take to have libssh compiled against gnutls in Debian, nor if gnutls is a suitable replacement, also I would rather spend my time having kde-sc, kf5 and plasma5 up to date in Debian, than having to fix this issue by other means, such as, using gnutls, or disabling the sftp support, or something. So, please, I ask you to reconsider, based on that adding the exception has a negligible cost only for you or Lucas Fisher and that it would have an impact in your users. The issue with the licenses is the same for both licenses, as they have the same text in the problematic part. From the LGPL-2/LGPL-2.1 license text: 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. Which is the 6. point in the GPL-2 license. The LGPL-3 is redacted as a supplement to the GPL-3, so the same restriction applies here: 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. The issue is against the points 3. and 6. of the OpenSSL license. This is better explained in the first link of the original report. I won't try to interpret the legalese myself, but according to your own legal team LGPL + openssl is okay: https://lists.debian.org/debian-legal/2008/06/msg00007.html libssh is LGPL, kio-sftp is LGPL: http://quickgit.kde.org/?p=kde-runtime.git&a=blob&f=kioslave%2Fsftp%2Fkio_sftp.cpp So I'll mark this as resolved. :-) |