* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others [not found] ` <871s3his1i.fsf@gnu.org> @ 2021-10-22 6:17 ` Vagrant Cascadian 2021-10-22 20:35 ` Leo Famulari 2021-10-22 21:17 ` Vagrant Cascadian 0 siblings, 2 replies; 7+ messages in thread From: Vagrant Cascadian @ 2021-10-22 6:17 UTC (permalink / raw) To: 34717; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 2157 bytes --] On 2019-03-08, Ludovic Courtès wrote: > Vagrant Cascadian <vagrant@debian.org> skribis: >> I'm not sure where it would be appropriate to add more comments >> regarding the GPL/Openssl incompatibilities; e.g. if someone were to >> propose adding one of the u-boot targets that requires it, they might >> just go ahead and re-add the openssl input... > > There’s always a risk. I guess we’ll have to be careful when doing > reviews. > > In addition, we can add a ‘lint’ checker for this case, WDYT? > >> From ee613387c49ca60905e0a40af8af017828c8aec8 Mon Sep 17 00:00:00 2001 >> From: Vagrant Cascadian <vagrant@debian.org> >> Date: Thu, 7 Mar 2019 21:50:58 +0000 >> Subject: [PATCH] gnu: u-boot: Remove openssl input. >> >> Fixes: https://bugs.gnu.org/34717 >> >> * gnu/packages/bootloaders (u-boot): Remove openssl from native-inputs. >> (u-boot-tools): Disable FIT_SIGNATURES in tests. > > Applied, thanks! For the last couple years guix has been applying simple workarounds in u-boot packages to disable the features that required openssl due to GPL/openssl license incompatibilities. I made an attempt at updating guix to u-boot 2021.10, which seems to have made openssl harder to workaround... many of the u-boot-BOARD packages now require it, and the previous workarounds to disable openssl in u-boot-tools seem ineffective. I see a few ways forward: * Dig deeper into figuring out how to disable the workarounds... * Refactor the code that uses openssl to use an alternate implementation. Upstream would welcome the fixes, at least in theory. Most promising candidate might be wolfssl, last I looked, but it may miss some features. * Convince upstream u-boot to relicense relevent GPLed portions of code with an openssl exception. Upstream is dubious about this being practical, largely due to the sheer number of potential contributors who would have to agree to it. * ??? While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions which are GPLv2-only, so that's not as attractive of a way forward as one might hope for... live well, vagrant [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-22 6:17 ` bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Vagrant Cascadian @ 2021-10-22 20:35 ` Leo Famulari 2021-10-22 21:15 ` Vagrant Cascadian 2021-10-22 21:17 ` Vagrant Cascadian 1 sibling, 1 reply; 7+ messages in thread From: Leo Famulari @ 2021-10-22 20:35 UTC (permalink / raw) To: Vagrant Cascadian; +Cc: guix-devel, 34717 On Thu, Oct 21, 2021 at 11:17:03PM -0700, Vagrant Cascadian wrote: > While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions > which are GPLv2-only, so that's not as attractive of a way forward as > one might hope for... What are other distros doing? Surely we can't be the only group distributing u-boot? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-22 20:35 ` Leo Famulari @ 2021-10-22 21:15 ` Vagrant Cascadian 2021-10-23 9:08 ` Maxime Devos 0 siblings, 1 reply; 7+ messages in thread From: Vagrant Cascadian @ 2021-10-22 21:15 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel, 34717 [-- Attachment #1: Type: text/plain, Size: 1337 bytes --] On 2021-10-22, Leo Famulari wrote: > On Thu, Oct 21, 2021 at 11:17:03PM -0700, Vagrant Cascadian wrote: >> While openssl 3.0 is licensed compatibly with GPLv3, u-boot has portions >> which are GPLv2-only, so that's not as attractive of a way forward as >> one might hope for... > > What are other distros doing? Surely we can't be the only group > distributing u-boot? Both fedora and (recently) debian have openssl declared as a system library, invoking the GPL's system library exception... which I personally find at best to be a grey area workaround. I wouldn't be surprised if most distros simply ignore the issue entirely. Interestingly, today I was called in on a relevent discussion on the u-boot mailing list: https://lists.denx.de/pipermail/u-boot/2021-October/464529.html Though, it is *possible* that various u-boot-BOARD in some cases doesn't include any openssl code at all in the resulting binaries, but builds some tools used during the build process, that are then used to produce various cryptographic signatures in the build: https://lists.denx.de/pipermail/u-boot/2021-October/464533.html If that's true, it should be ok for various boards (though the possibility of openssl code getting linked in would be hard to catch). u-boot-tools would still need a viable workaround, though. live well, vagrant [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-22 21:15 ` Vagrant Cascadian @ 2021-10-23 9:08 ` Maxime Devos 0 siblings, 0 replies; 7+ messages in thread From: Maxime Devos @ 2021-10-23 9:08 UTC (permalink / raw) To: Vagrant Cascadian, Leo Famulari; +Cc: guix-devel, 34717 Vagrant Cascadian schreef op vr 22-10-2021 om 14:15 [-0700]: > [...] > Though, it is *possible* that various u-boot-BOARD in some cases > doesn't > include any openssl code at all in the resulting binaries, but builds > some tools used during the build process, that are then used to > produce > various cryptographic signatures in the build: > > https://lists.denx.de/pipermail/u-boot/2021-October/464533.html > > If that's true, it should be ok for various boards (though the > possibility of openssl code getting linked in would be hard to > catch). Add openssl to #:disallowed-references. Then the build will fail if the store item has a reference to openssl. This most likely won't catch uses of the _static_ OpenSSL libraries though, so the "openssl:static" input would need to be removed for this approach to work. Greetings, Maxime. -- not hacking on guix for a while, only occassionally looking at IRC logs and bug reports. E-mails are unsigned until backup is located. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-22 6:17 ` bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Vagrant Cascadian 2021-10-22 20:35 ` Leo Famulari @ 2021-10-22 21:17 ` Vagrant Cascadian 2021-10-23 19:44 ` Leo Famulari 1 sibling, 1 reply; 7+ messages in thread From: Vagrant Cascadian @ 2021-10-22 21:17 UTC (permalink / raw) To: 34717; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1287 bytes --] On 2021-10-21, Vagrant Cascadian wrote: > For the last couple years guix has been applying simple workarounds in > u-boot packages to disable the features that required openssl due to > GPL/openssl license incompatibilities. > > I made an attempt at updating guix to u-boot 2021.10, which seems to > have made openssl harder to workaround... many of the u-boot-BOARD > packages now require it, and the previous workarounds to disable openssl > in u-boot-tools seem ineffective. > > I see a few ways forward: > > * Dig deeper into figuring out how to disable the workarounds... > > * Refactor the code that uses openssl to use an alternate > implementation. Upstream would welcome the fixes, at least in > theory. Most promising candidate might be wolfssl, last I looked, but > it may miss some features. > > * Convince upstream u-boot to relicense relevent GPLed portions of code > with an openssl exception. Upstream is dubious about this being > practical, largely due to the sheer number of potential contributors > who would have to agree to it. * Disable substitutes for relevent packages. Technically correct as license incompatibility is only triggered on transmission of binary, though maybe missing something about the spirit of the GPL. live well, vagrant [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-22 21:17 ` Vagrant Cascadian @ 2021-10-23 19:44 ` Leo Famulari 2021-10-24 8:50 ` Dr. Arne Babenhauserheide 0 siblings, 1 reply; 7+ messages in thread From: Leo Famulari @ 2021-10-23 19:44 UTC (permalink / raw) To: Vagrant Cascadian; +Cc: guix-devel, 34717 On Fri, Oct 22, 2021 at 02:17:33PM -0700, Vagrant Cascadian wrote: > * Disable substitutes for relevent packages. Technically correct as > license incompatibility is only triggered on transmission of binary, > though maybe missing something about the spirit of the GPL. Maybe, but did anyone with standing ever take action regarding these licensing incompatibilities? Perhaps, looking at these issues too closely is also missing something about the spirit of the GPL. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others 2021-10-23 19:44 ` Leo Famulari @ 2021-10-24 8:50 ` Dr. Arne Babenhauserheide 0 siblings, 0 replies; 7+ messages in thread From: Dr. Arne Babenhauserheide @ 2021-10-24 8:50 UTC (permalink / raw) To: Leo Famulari; +Cc: Vagrant Cascadian, guix-devel, 34717, bug-guix [-- Attachment #1: Type: text/plain, Size: 895 bytes --] Leo Famulari <leo@famulari.name> writes: > On Fri, Oct 22, 2021 at 02:17:33PM -0700, Vagrant Cascadian wrote: >> * Disable substitutes for relevent packages. Technically correct as >> license incompatibility is only triggered on transmission of binary, >> though maybe missing something about the spirit of the GPL. > > Maybe, but did anyone with standing ever take action regarding these > licensing incompatibilities? > > Perhaps, looking at these issues too closely is also missing something > about the spirit of the GPL. It just needs one person. Also see this weeks newsletter from Cory Doctorov on the lawsuit against Vizio. It might soon only take one user. Best get licensing problems fixed sooner than later. GPLv2-only is a problem quickly getting closer. Best wishes, Arne -- Unpolitisch sein heißt politisch sein, ohne es zu merken. draketo.de [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 1125 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-10-24 8:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <87tvgkiurn.fsf@ponder>
[not found] ` <87zhq8f2zz.fsf@gnu.org>
[not found] ` <87ftrzuxmh.fsf@ponder>
[not found] ` <87o96m8f09.fsf@ponder>
[not found] ` <871s3his1i.fsf@gnu.org>
2021-10-22 6:17 ` bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Vagrant Cascadian
2021-10-22 20:35 ` Leo Famulari
2021-10-22 21:15 ` Vagrant Cascadian
2021-10-23 9:08 ` Maxime Devos
2021-10-22 21:17 ` Vagrant Cascadian
2021-10-23 19:44 ` Leo Famulari
2021-10-24 8:50 ` Dr. Arne Babenhauserheide
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).