From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCH] Libressl
Date: Mon, 15 Jun 2015 17:16:06 -0400
Message-ID: <87k2v4hdux.fsf@netris.org>
References: <20150615191102.GA4777@debian> <87eglciv83.fsf@netris.org>
	<20150615203014.GB5980@debian>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35511)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1Z4bjx-0001IF-No
	for guix-devel@gnu.org; Mon, 15 Jun 2015 17:16:23 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1Z4bju-0008R4-G6
	for guix-devel@gnu.org; Mon, 15 Jun 2015 17:16:21 -0400
Received: from world.peace.net ([50.252.239.5]:56742)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1Z4bju-0008Qw-CE
	for guix-devel@gnu.org; Mon, 15 Jun 2015 17:16:18 -0400
In-Reply-To: <20150615203014.GB5980@debian> (Andreas Enge's message of "Mon,
	15 Jun 2015 22:30:14 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org

Andreas Enge <andreas@enge.fr> writes:

> On Mon, Jun 15, 2015 at 04:15:40PM -0400, Mark H Weaver wrote:
>> The COPYING file says that the OpenSSL code is under the OpenSSL license
>> and the new contributions are under ISC or public domain, so how about
>> this instead?
>>     (license (list license:openssl
>>                    license:isc)))))
>
> I read the file, but did not realise it corresponded to a license we already
> have. Anyway, the claim seems to be wrong.
>
> For instance, ssl/bio_ssl.c starts with this:

The license you pasted is the original SSLeay License, whereas
<https://www.gnu.org/licenses/license-list.html#OpenSSL> says:

  The license of OpenSSL is a conjunction of two licenses, one of them
  being the license of SSLeay.  You must follow both.  [...]

However, I see now that this is a bit confusing, and we made a mistake
in our 'license' field of our OpenSSL package.  My casual reading of the
above text led me believe that the "OpenSSL License" is itself a
conjunction of the two licenses, but I see that
<http://directory.fsf.org/wiki/License:OpenSSL> does not include the
SSLeay license.

So, I think we should add 'ssleay' to (guix licenses) and then add it to
the license field of 'openssl' along with a comment explaining that the
requirements of both (all?) licenses must be followed.

> Then, tls/strsep.c starts like this:
>
> /*-
>  * Copyright (c) 1990, 1993
>  *	The Regents of the University of California.  All rights reserved.
>  *
>  * Redistribution and use in source and binary forms, with or without
>  * modification, are permitted provided that the following conditions
>  * are met:
>  * 1. Redistributions of source code must retain the above copyright
>  *    notice, this list of conditions and the following disclaimer.
>  * 2. Redistributions in binary form must reproduce the above copyright
>  *    notice, this list of conditions and the following disclaimer in the
>  *    documentation and/or other materials provided with the distribution.
>  * 3. Neither the name of the University nor the names of its contributors
>  *    may be used to endorse or promote products derived from this software
>  *    without specific prior written permission.
>  *
>  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
>  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
>  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
>  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
>  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
>  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
>  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
>  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
>  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
>  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
>  * SUCH DAMAGE.
>  */
>
> This is BSD-3 in which "the author" has been replaced by "the University"
> or "THE REGENTS AND CONTRIBUTORS".

Good catch!  This is another omission from the license field of our
'openssl' package.  The Debian packagers missed this one as well.

However, these omissions are not remedied by citing "file://COPYING",
since that file has the same omissions and does not even include the
text of the ISC license.

So, in summary, I think the 'openssl' license field should be changed to
something like this:

    (license (list license:openssl
                   license:ssleay
                   (license:non-copyleft
                    "file://tls/strsep.c"
                    "Slightly modified BSD-3.  See tls/strsep.c in the source distribution")))))

and 'libressl' should be the same but with 'license:isc' added as well.
What do you think?

> Admittedly, I did not check all the source files.

If you find any more, they should be added to the appropriate license
fields.

Thanks for your vigilance!

     Mark