From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Date: Wed, 06 Mar 2019 16:15:28 +0100 Message-ID: <87zhq8f2zz.fsf@gnu.org> References: <87tvgkiurn.fsf@ponder> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([209.51.188.92]:54528) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1YH8-0003j7-DL for bug-guix@gnu.org; Wed, 06 Mar 2019 10:16:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h1YH6-0004aC-Ru for bug-guix@gnu.org; Wed, 06 Mar 2019 10:16:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:49267) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h1YH6-0004Zj-JZ for bug-guix@gnu.org; Wed, 06 Mar 2019 10:16:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1h1YH4-0001Ct-6s for bug-guix@gnu.org; Wed, 06 Mar 2019 10:16:04 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87tvgkiurn.fsf@ponder> (Vagrant Cascadian's message of "Sat, 02 Mar 2019 17:58:20 -0800") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Vagrant Cascadian Cc: 34717@debbugs.gnu.org Hi Vagrant, Vagrant Cascadian skribis: > The u-boot package definition includes openssl amoung it's inputs, but > is also a GPL2+ software project... but the GPL and OpenSSL licenses are > incompatible: > > https://www.gnu.org/licenses/license-list.html#OpenSSL Thanks for bringing it up. > I'm not sure if there's a simple way to search for other packages with > license:gpl and openssl as an input in order to do a quick pass at > auditing... some packages may use the openssl binary as part of the > build process or tests, and not linking any GPLed code against it; in > those cases there would be no license conflict. openssl@1.0 has 7,029 dependent packages, so it may be hard to sort it out. I wonder what would be the best way to approach it. > Since I believe the incompatibility is only invoked when distributing > binaries, GNU Guix may be in an interesting position to at least make a > simple workaround for affected packages by using: > > (arguments `(#:substitutable? #f)) > > Thus disabling substitutes. Though it poses a curious philosophical > question weather that is an acceptible/appropriate workaround for GNU > Guix... Hmm yeah, that doesn=E2=80=99t sound right. :-) > In the Debian u-boot packaging, some of the features using openssl are > disabled, and some of the u-boot targets that require openssl are not > part of the packages. I'd be happy to help with making such adjustments > if this is deemed the better approach for u-boot specifically. That=E2=80=99d be great. We could definitely remove the OpenSSL dependency= when it=E2=80=99s not needed. In cases where it is needed, it would be nice to see what it=E2=80=99s used for. Many projects use OpenSSL just for its cryptographic hash functions, for example, and there=E2=80=99s plenty of options to choose fro= m if that=E2=80=99s all that=E2=80=99s needed (Gcrypt, Nettle, etc.). I guess this should be discussed with upstream. Thanks, Ludo=E2=80=99.