openssl is now a dependency of guix: possible license conflict?

openssl is now a dependency of guix: possible license conflict?

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

Hello guix,

Recently, guix changes to use guile-git for 'guix pull', which is a
libgit2 binding for guile, while libgit2 itself uses openssl to talk
over https.

Now the potential problem is that guix is licensed in gpl3+ while
openssl is licensed in openssl. It is well-known the two licenses have
incompatibility disallowing one from distributing the result of linking
a gpl program with openssl[0].

First, We have to figure out if we are linking guix with openssl. Well,
libgit2 is dynamically linked to openssl while guile-git uses
'dynamic-link' to load libgit2. So these libraries are linked
together. The part that I am not sure is that whether guix is linked
with guile-git.

What do you think?

Cheers,
Alex

[0]: https://people.gnome.org/~markmc/openssl-and-the-gpl.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: openssl is now a dependency of guix: possible license conflict?

[Mark H Weaver]

Hi Alex,

Alex Vong <alexvong1995@gmail.com> writes:

> Recently, guix changes to use guile-git for 'guix pull', which is a
> libgit2 binding for guile, while libgit2 itself uses openssl to talk
> over https.
>
> Now the potential problem is that guix is licensed in gpl3+ while
> openssl is licensed in openssl. It is well-known the two licenses have
> incompatibility disallowing one from distributing the result of linking
> a gpl program with openssl[0].

Thanks for bringing this to our attention.  I looked into this, and it
turns out that Debian's libgit2 package no longer depends on OpenSSL:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798421

libgit2 can use libcurl for HTTPS support, in which case it does not
need OpenSSL.  Our libcurl already uses GnuTLS instead of OpenSSL.  So,
I expect this issue can be easily resolved.  I'll work on it.

     Thanks,
       Mark

Re: openssl is now a dependency of guix: possible license conflict?

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Recently, guix changes to use guile-git for 'guix pull', which is a
>> libgit2 binding for guile, while libgit2 itself uses openssl to talk
>> over https.
>>
>> Now the potential problem is that guix is licensed in gpl3+ while
>> openssl is licensed in openssl. It is well-known the two licenses have
>> incompatibility disallowing one from distributing the result of linking
>> a gpl program with openssl[0].
>
> Thanks for bringing this to our attention.  I looked into this, and it
> turns out that Debian's libgit2 package no longer depends on OpenSSL:
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798421
>
> libgit2 can use libcurl for HTTPS support, in which case it does not
> need OpenSSL.

I was mistaken about this.  My mistake was based on the following
statement from libgit2's CHANGELOG.md for v0.23:

  * If libcurl is installed, we will use it to connect to HTTP(S)
    servers.

However, further investigation reveals that on GNU/Linux systems,
libgit2's HTTPS support requires OpenSSL.  Debian's libgit2 no longer
supports HTTPS.

There exist patches for libgit2 to support the mbedTLS library, but it
is not yet clear whether they will be accepted upstream:

  https://github.com/libgit2/libgit2/pull/3462
  https://github.com/libgit2/libgit2/pull/3935

OpenSSL is currently attempting to change their license to the Apache
License v2.0, which is compatible with the GNU GPL v3, but it's not
clear how long it will take for them to obtain permission from the large
number of individual copyright owners:

  https://www.openssl.org/blog/blog/2017/03/22/license/

      Mark

Re: openssl is now a dependency of guix: possible license conflict?

[Alex Vong]

[-- Attachment #1: Type: text/plain, Size: 2280 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>> Alex Vong <alexvong1995@gmail.com> writes:
>>
>>> Recently, guix changes to use guile-git for 'guix pull', which is a
>>> libgit2 binding for guile, while libgit2 itself uses openssl to talk
>>> over https.
>>>
>>> Now the potential problem is that guix is licensed in gpl3+ while
>>> openssl is licensed in openssl. It is well-known the two licenses have
>>> incompatibility disallowing one from distributing the result of linking
>>> a gpl program with openssl[0].
>>
>> Thanks for bringing this to our attention.  I looked into this, and it
>> turns out that Debian's libgit2 package no longer depends on OpenSSL:
>>
>>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798421
>>
>> libgit2 can use libcurl for HTTPS support, in which case it does not
>> need OpenSSL.
>
> I was mistaken about this.  My mistake was based on the following
> statement from libgit2's CHANGELOG.md for v0.23:
>
>   * If libcurl is installed, we will use it to connect to HTTP(S)
>     servers.
>
> However, further investigation reveals that on GNU/Linux systems,
> libgit2's HTTPS support requires OpenSSL.  Debian's libgit2 no longer
> supports HTTPS.
>
> There exist patches for libgit2 to support the mbedTLS library, but it
> is not yet clear whether they will be accepted upstream:
>
>   https://github.com/libgit2/libgit2/pull/3462
>   https://github.com/libgit2/libgit2/pull/3935
>
It seems julia had merge the mbedtls patches, so they should be working:

  https://github.com/JuliaLang/julia/pull/22614

Should we also adopt the patches?

Another solution I can think of is to change the (guix git) module so
that it supports using plain git to clone and fetch the repo. We can
have an option to choose using either libgit2 or git in the configure
script.

> OpenSSL is currently attempting to change their license to the Apache
> License v2.0, which is compatible with the GNU GPL v3, but it's not
> clear how long it will take for them to obtain permission from the large
> number of individual copyright owners:
>
>   https://www.openssl.org/blog/blog/2017/03/22/license/
>
This is great. They start doing it in 2015, time flies:
  https://www.openssl.org/blog/blog/2015/08/01/cla/

>       Mark

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: openssl is now a dependency of guix: possible license conflict?

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

On Fri, Aug 18, 2017 at 10:44:04PM +0800, Alex Vong wrote:
> It seems julia had merge the mbedtls patches, so they should be working:
> 
>   https://github.com/JuliaLang/julia/pull/22614
> 
> Should we also adopt the patches?

Personally, I think it depends on the advice of the libgit2 team. We
shouldn't add new TLS backends without being very careful that they work
properly.

I've seen many cases where TLS seemed to work but, upon examination,
turned out to not offer any security at all.

Currently, TLS in `guix pull` is the fundamental security mechanism in
Guix, so we must be very careful.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: openssl is now a dependency of guix: possible license conflict?

[Mark H Weaver]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

Mark H Weaver <mhw@netris.org> writes:

> There exist patches for libgit2 to support the mbedTLS library, but it
> is not yet clear whether they will be accepted upstream:
>
>   https://github.com/libgit2/libgit2/pull/3462
>   https://github.com/libgit2/libgit2/pull/3935

Here's the currently-open pull request:

  https://github.com/libgit2/libgit2/pull/4173

I've attached work-in-progress patches to switch our libgit2 to use a
modified version that supports mbedTLS.  Currently, there is a failing
test in libgit2.  It may be a couple of days before I can work more on
this.  I'm sending out these patches in case someone else wants to work
more on this in the meantime.

       Mark



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: [PATCH 1/2] DRAFT: gnu: mbedTLS: Build shared libraries --]
[-- Type: text/x-patch, Size: 790 bytes --]

From ff3267d15cde38f8af1751cbd15bf7a8e4a0eea0 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Fri, 18 Aug 2017 17:06:39 -0400
Subject: [PATCH 1/2] DRAFT: gnu: mbedTLS: Build shared libraries.

---
 gnu/packages/tls.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 9d3e9d9e9..0c5b53162 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -775,6 +775,8 @@ then ported to the GNU / Linux environment.")
         (base32
          "1yc1rj0izjihj9hbzvskpa4gjzqf4dm2i84nmmm2s9j1i66fp6jm"))))
     (build-system cmake-build-system)
+    (arguments
+     `(#:configure-flags '("-DUSE_SHARED_MBEDTLS_LIBRARY=On")))
     (native-inputs
      `(("perl" ,perl)))
     (synopsis "Small TLS library")
-- 
2.14.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: [PATCH 2/2] PRELIMINARY: libgit2: Use mbedTLS. --]
[-- Type: text/x-patch, Size: 6881 bytes --]

From 2680d40d32ab3452522f87be09c69f1ec0399c6e Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Fri, 18 Aug 2017 17:06:18 -0400
Subject: [PATCH 2/2] PRELIMINARY: libgit2: Use mbedTLS.

---
 .../patches/libgit2-mbedtls-cert-location.patch    |  21 ++++
 gnu/packages/version-control.scm                   | 111 ++++++++++++---------
 2 files changed, 87 insertions(+), 45 deletions(-)
 create mode 100644 gnu/packages/patches/libgit2-mbedtls-cert-location.patch

diff --git a/gnu/packages/patches/libgit2-mbedtls-cert-location.patch b/gnu/packages/patches/libgit2-mbedtls-cert-location.patch
new file mode 100644
index 000000000..3f068d9a5
--- /dev/null
+++ b/gnu/packages/patches/libgit2-mbedtls-cert-location.patch
@@ -0,0 +1,21 @@
+Cope with the absence of /etc/ssl/certs within the build container.
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6976946ca..8c8841464 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -361,9 +361,11 @@ ELSEIF(TLS_BACKEND STREQUAL "mbedTLS")
+ 	ENDIF()
+ 
+ 	IF(CERT_LOCATION)
+-		IF(NOT EXISTS ${CERT_LOCATION})
+-			MESSAGE(FATAL_ERROR "Cannot use CERT_LOCATION=${CERT_LOCATION} as it doesn't exist")
+-		ENDIF()
++		# Within Guix's build container, the certificates will
++		# not exist in the standard system-wide directory.
++		#IF(NOT EXISTS ${CERT_LOCATION})
++		#	MESSAGE(FATAL_ERROR "Cannot use CERT_LOCATION=${CERT_LOCATION} as it doesn't exist")
++		#ENDIF()
+ 		ADD_FEATURE_INFO(CERT_LOCATION ON "using certificates from ${CERT_LOCATION}")
+ 		ADD_DEFINITIONS(-DGIT_DEFAULT_CERT_LOCATION="${CERT_LOCATION}")
+ 	ENDIF()
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index 869672ca4..8bc761863 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -352,53 +352,74 @@ everything from small to very large projects with speed and efficiency.")
    (home-page "https://git-scm.com/")))
 
 (define-public libgit2
-  (package
-    (name "libgit2")
-    (version "0.26.0")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/libgit2/libgit2/"
-                                  "archive/v" version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa"))
-              (patches (search-patches "libgit2-0.25.1-mtime-0.patch"))))
-    (build-system cmake-build-system)
-    (outputs '("out" "debug"))
-    (arguments
-     `(#:configure-flags '("-DUSE_SHA1DC=ON") ; SHA-1 collision detection
-       #:phases
-       (modify-phases %standard-phases
-         (add-after 'unpack 'fix-hardcoded-paths
-           (lambda _
-             (substitute* "tests/repo/init.c"
-               (("#!/bin/sh") (string-append "#!" (which "sh"))))
-             (substitute* "tests/clar/fs.h"
-               (("/bin/cp") (which "cp"))
-               (("/bin/rm") (which "rm")))
-             #t))
-         ;; Run checks more verbosely.
-         (replace 'check
-           (lambda _ (zero? (system* "./libgit2_clar" "-v" "-Q")))))))
-    (inputs
-     `(("libssh2" ,libssh2)
-       ("libcurl" ,curl)
-       ("python" ,python-wrapper)))
-    (native-inputs
-     `(("pkg-config" ,pkg-config)))
-    (propagated-inputs
-     ;; These two libraries are in 'Requires.private' in libgit2.pc.
-     `(("openssl" ,openssl)
-       ("zlib" ,zlib)))
-    (home-page "https://libgit2.github.com/")
-    (synopsis "Library providing Git core methods")
-    (description
-     "Libgit2 is a portable, pure C implementation of the Git core methods
+  (let ((version "0.26.0")
+        (commit "f16ff6db95964a5ea55b6654ab0f98d7711b4041")
+        (revision 1))
+    (package
+      (name "libgit2")
+      (version (string-append version "-"
+                              (number->string revision)
+                              "." (string-take commit 7)))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                      (url "https://github.com/tiennou/libgit2")
+                      (commit commit)))
+                (sha256
+                 (base32
+                  "1zaynw5qqjg38vjqmvdnrf74i3c26cnql7d2akz0r4r0x51qz37f"))
+                (file-name (string-append name "-" version "-checkout"))
+                (patches (search-patches "libgit2-mbedtls-cert-location.patch"
+                                         "libgit2-0.25.1-mtime-0.patch")))
+              #;
+              (origin
+                (method url-fetch)
+                (uri (string-append "https://github.com/libgit2/libgit2/"
+                                    "archive/v" version ".tar.gz"))
+                (file-name (string-append name "-" version ".tar.gz"))
+                (sha256
+                 (base32
+                  "1fdk9yhwvl1w1z71ykzcvgh4nsf8scxcbclz5anh98zpplmhmisa"))
+                (patches (search-patches "libgit2-0.25.1-mtime-0.patch"))))
+      (build-system cmake-build-system)
+      (outputs '("out" "debug"))
+      (arguments
+       `(#:configure-flags
+         '("-DUSE_SHA1DC=ON"    ; SHA-1 collision detection
+           "-DUSE_TLS=mbedTLS"  ; Avoid OpenSSL for GPL compatibility
+           "-DCERT_LOCATION=/phony/etc/ssl/certs")  ; XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+         #:phases
+         (modify-phases %standard-phases
+           (add-after 'unpack 'fix-hardcoded-paths
+             (lambda _
+               (substitute* "tests/repo/init.c"
+                 (("#!/bin/sh") (string-append "#!" (which "sh"))))
+               (substitute* "tests/clar/fs.h"
+                 (("/bin/cp") (which "cp"))
+                 (("/bin/rm") (which "rm")))
+               #t))
+           ;; Run checks more verbosely.
+           (replace 'check
+             (lambda _ (zero? (system* "./libgit2_clar" "-v" "-Q")))))))
+      (inputs
+       `(("libssh2" ,libssh2)
+         ("libcurl" ,curl)
+         ("mbedtls" ,mbedtls-apache)
+         ("http-parser" ,http-parser)
+         ("python" ,python-wrapper)))
+      (native-inputs
+       `(("pkg-config" ,pkg-config)))
+      (propagated-inputs
+       ;; zlib in 'Requires.private' in libgit2.pc.
+       `(("zlib" ,zlib)))
+      (home-page "https://libgit2.github.com/")
+      (synopsis "Library providing Git core methods")
+      (description
+       "Libgit2 is a portable, pure C implementation of the Git core methods
 provided as a re-entrant linkable library with a solid API, allowing you to
 write native speed custom Git applications in any language with bindings.")
-    ;; GPLv2 with linking exception
-    (license license:gpl2)))
+      ;; GPLv2 with linking exception
+      (license license:gpl2))))
 
 (define-public git-crypt
   (package
-- 
2.14.1

Re: openssl is now a dependency of guix: possible license conflict?

[Adonay Felipe Nogueira]

I wonder if it can be made to support GnuTLS instead.

I'm not a developer, but perhaps GNU Ring's patch against
pjsip/pjproject might give us a hint on how to do so.

-- 
- [[https://libreplanet.org/wiki/User:Adfeno]]
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, use o GNU Ring ou o Tox.
- Contato: [[https://libreplanet.org/wiki/User:Adfeno#vCard]]
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

Re: openssl is now a dependency of guix: possible license conflict?

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> Mark H Weaver <mhw@netris.org> writes:
>
>> There exist patches for libgit2 to support the mbedTLS library, but it
>> is not yet clear whether they will be accepted upstream:
>>
>>   https://github.com/libgit2/libgit2/pull/3462
>>   https://github.com/libgit2/libgit2/pull/3935
>
> Here's the currently-open pull request:
>
>   https://github.com/libgit2/libgit2/pull/4173
>
> I've attached work-in-progress patches to switch our libgit2 to use a
> modified version that supports mbedTLS.  Currently, there is a failing
> test in libgit2.  It may be a couple of days before I can work more on
> this.  I'm sending out these patches in case someone else wants to work
> more on this in the meantime.

Nice!

As Leo wrote, I think we should make sure that TLS support works
correctly, and in particular that authentication works (the
‘set-tls-certificate-locations!’ binding in Guile-Git.)

(I would also have a preference for GnuTLS over mbedTLS, if we had a
choice…)

Thanks for looking into this!

Ludo’.