From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vagrant Cascadian <vagrant@debian.org>
Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly
	others
Date: Sat, 02 Mar 2019 17:58:20 -0800
Message-ID: <87tvgkiurn.fsf@ponder>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:35422)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h0GP9-000421-Qk
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:59:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h0GP8-0008Bc-Sn
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:59:03 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:44441)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1h0GP8-0008BC-Pe
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:59:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1h0GP8-000298-G5
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:59:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.34717.B.15515783208220@debbugs.gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:35329)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vagrant@debian.org>) id 1h0GOd-0003zL-P7
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:58:32 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <vagrant@debian.org>) id 1h0GOc-0007Eq-Cp
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:58:31 -0500
Received: from cascadia.aikidev.net ([173.255.214.101]:54026)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <vagrant@debian.org>) id 1h0GOc-0007CS-4f
	for bug-guix@gnu.org; Sat, 02 Mar 2019 20:58:30 -0500
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100e])
	(Authenticated sender: vagrant@cascadia.debian.net)
	by cascadia.aikidev.net (Postfix) with ESMTPSA id 9DC5A1AA27
	for <bug-guix@gnu.org>; Sat,  2 Mar 2019 17:58:25 -0800 (PST)
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 34717@debbugs.gnu.org

--=-=-=
Content-Type: text/plain

The u-boot package definition includes openssl amoung it's inputs, but
is also a GPL2+ software project... but the GPL and OpenSSL licenses are
incompatible:

  https://www.gnu.org/licenses/license-list.html#OpenSSL

It doesn't explain the details of *why* they're incompatibly, which is
astoundingly unhelpful. The best explanation I've found is here:

  https://people.gnome.org/~markmc/openssl-and-the-gpl.html

Essentially, the Openssl/SSLeay license(s) place additional restrictions
requiring "advertising" clause when distributing in binary form, while
the GPL forbids placing additional restrictions on distribution.


I'm not sure if there's a simple way to search for other packages with
license:gpl and openssl as an input in order to do a quick pass at
auditing... some packages may use the openssl binary as part of the
build process or tests, and not linking any GPLed code against it; in
those cases there would be no license conflict.


Since I believe the incompatibility is only invoked when distributing
binaries, GNU Guix may be in an interesting position to at least make a
simple workaround for affected packages by using:

  (arguments `(#:substitutable? #f))

Thus disabling substitutes. Though it poses a curious philosophical
question weather that is an acceptible/appropriate workaround for GNU
Guix...


In the Debian u-boot packaging, some of the features using openssl are
disabled, and some of the u-boot targets that require openssl are not
part of the packages. I'd be happy to help with making such adjustments
if this is deemed the better approach for u-boot specifically.


Other more long-term approaches:

Patch (and submit upstream) the affected packages to support using other
GPL compatible libraries, such as gnutls.

If upstream is reasonably able to add a license exception, that could
also resolve the issue:

  https://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs


live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXHs0vAAKCRDcUY/If5cW
qpx5AQD1tIZOPkaVIfPvFxiCO5fh+3pHugUaX4ysih2phFjTAAEAvlbLHriinnPU
PbP4TpS6+1WPLiuGiADU1wz75h8LZQk=
=iuiX
-----END PGP SIGNATURE-----
--=-=-=--