Bug 337397 - Indirect linkeage against openssl and license issue
Summary: Indirect linkeage against openssl and license issue
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: sftp (show other bugs)
Version: 4.13.2
Platform: Debian unstable Linux
: NOR normal
Target Milestone: ---
Assignee: Andreas Schneider
URL: http://bugs.debian.org/750867
Depends on:
Reported: 2014-07-12 14:34 UTC by Maximiliano Curia
Modified: 2014-08-28 20:47 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Note You need to log in before you can comment on or make changes to this bug.
Description Maximiliano Curia 2014-07-12 14:34:26 UTC

The sftp support in kde-runtime links against libssh which in turn is normally linked against OpenSSL.

OpenSSL has a long standing license incompatibility with the GPL and LGPL licenses. One practical solution to solve this issue is to add an OpenSSL exception to the copyright notices, such as:
  In addition, as a special exception, the copyright holders give
  permission to link the code of portions of this program with the
  OpenSSL library under certain conditions as described in each
  individual source file, and distribute linked combinations
  including the two.
  You must obey the GNU General Public License in all respects
  for all of the code used other than OpenSSL.  If you modify
  file(s) with this exception, you may extend this exception to your
  version of the file(s), but you are not obligated to do so.  If you
  do not wish to do so, delete this exception statement from your
  version.  If you delete this exception statement from all source
  files in the program, then also delete it here.

See https://people.gnome.org/~markmc/openssl-and-the-gpl.html for more information about the incompatibility, and https://lists.debian.org/debian-legal/2004/05/msg00595.html for some context in the Debian sphere.


Reproducible: Always
Comment 1 Andreas Schneider 2014-07-18 07:59:37 UTC
libssh is LGPL!

There is no license issue! Please stop spreading FUD!
Comment 2 Maximiliano Curia 2014-07-18 10:04:29 UTC
(In reply to Andreas Schneider from comment #1)
> libssh is LGPL!

LGPL has the same issues with the OpenSSL license as GPL has.

I really don't want to have a licensing discussion, nor I'm a big fan of this kind of issues. I requested adding the exception because it's the simplest solution.

I'm not sure how long would it take to have libssh compiled against gnutls in Debian, nor if gnutls is a suitable replacement, also I would rather spend my time having kde-sc, kf5 and plasma5 up to date in Debian, than having to fix this issue by other means, such as, using gnutls, or disabling the sftp support, or something.

So, please, I ask you to reconsider, based on that adding the exception has a negligible cost only for you or Lucas Fisher and that it would have an impact in your users.

The issue with the licenses is the same for both licenses, as they have the same text in the problematic part.

From the LGPL-2/LGPL-2.1 license text:
  10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

Which is the 6. point in the GPL-2 license.

The LGPL-3 is redacted as a supplement to the GPL-3, so the same
restriction applies here:
  10. Automatic Licensing of Downstream Recipients.

  Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License.  You are not responsible
for enforcing compliance by third parties with this License.

  An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations.  If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.

  You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License.  For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.

The issue is against the points 3. and 6. of the OpenSSL license. This is better explained in the first link of the original report.
Comment 3 Martin Sandsmark 2014-08-28 20:47:36 UTC
I won't try to interpret the legalese myself, but according to your own legal team LGPL + openssl is okay: https://lists.debian.org/debian-legal/2008/06/msg00007.html

libssh is LGPL, kio-sftp is LGPL: http://quickgit.kde.org/?p=kde-runtime.git&a=blob&f=kioslave%2Fsftp%2Fkio_sftp.cpp

So I'll mark this as resolved. :-)