Hi, The sftp support in kde-runtime links against libssh which in turn is normally linked against OpenSSL. OpenSSL has a long standing license incompatibility with the GPL and LGPL licenses. One practical solution to solve this issue is to add an OpenSSL exception to the copyright notices, such as: *** In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. *** See https://people.gnome.org/~markmc/openssl-and-the-gpl.html for more information about the incompatibility, and https://lists.debian.org/debian-legal/2004/05/msg00595.html for some context in the Debian sphere. Thanks. Reproducible: Always
libssh is LGPL! There is no license issue! Please stop spreading FUD!
(In reply to Andreas Schneider from comment #1) > libssh is LGPL! LGPL has the same issues with the OpenSSL license as GPL has. I really don't want to have a licensing discussion, nor I'm a big fan of this kind of issues. I requested adding the exception because it's the simplest solution. I'm not sure how long would it take to have libssh compiled against gnutls in Debian, nor if gnutls is a suitable replacement, also I would rather spend my time having kde-sc, kf5 and plasma5 up to date in Debian, than having to fix this issue by other means, such as, using gnutls, or disabling the sftp support, or something. So, please, I ask you to reconsider, based on that adding the exception has a negligible cost only for you or Lucas Fisher and that it would have an impact in your users. The issue with the licenses is the same for both licenses, as they have the same text in the problematic part. From the LGPL-2/LGPL-2.1 license text: 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. Which is the 6. point in the GPL-2 license. The LGPL-3 is redacted as a supplement to the GPL-3, so the same restriction applies here: 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. The issue is against the points 3. and 6. of the OpenSSL license. This is better explained in the first link of the original report.
I won't try to interpret the legalese myself, but according to your own legal team LGPL + openssl is okay: https://lists.debian.org/debian-legal/2008/06/msg00007.html libssh is LGPL, kio-sftp is LGPL: http://quickgit.kde.org/?p=kde-runtime.git&a=blob&f=kioslave%2Fsftp%2Fkio_sftp.cpp So I'll mark this as resolved. :-)