Debian Bug report logs - #147430
hpoj: Linking against OpenSSL licensing modification (GPL)

version graph

Package: hpoj; Maintainer for hpoj is (unknown);

Reported by: "Mark Purcell" <msp@debian.org>

Date: Sun, 19 May 2002 15:03:02 UTC

Severity: normal

Tags: sid

Found in version 0.8-cvs20020519-1

Fixed in version hpoj/0.8-cvs20020727-1

Done: Mark Purcell <msp@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "Mark Purcell" <msp@debian.org>:
New Bug report received and forwarded. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Mark Purcell" <msp@debian.org>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
Subject: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Mon, 20 May 2002 00:59:07 +1000
Package: hpoj
Version: 0.8-cvs20020519-1
Severity: normal
Tags: sid

David,

The licence for hpoj currently states:

/* This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.

However the current CVS version of hpoj can[1] also be built linked against 
OpenSSL (libcrypto) which maybe precluded under the 
GPL, unless the hpoj licensing terms include a disclamer:

http://www.openssl.org/support/faq.html#LEGAL2

Would you be happy to include the following clause in the hpoj
LICENSE. 

"This program is released under the GPL with the additional
   exemption that compiling, linking, and/or using OpenSSL is allowed."

Thanks,
Mark

[1] I'm not quite sure why, because they seem to build fully functional 
without OpenSSL support as well, but as they can be built linked against
OpenSSL this query arises.

$ ldd /usr/bin/ptal-hp
	libptal.so.0 => /usr/lib/libptal.so.0 (0x40023000)
	libc.so.6 => /lib/libc.so.6 (0x4002f000)
	libsnmp-0.4.2.so => /usr/lib/libsnmp-0.4.2.so (0x4014d000)
	libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x401a6000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
	libdl.so.2 => /lib/libdl.so.2 (0x40267000)

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux htpc 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages hpoj depends on:
ii  libc6                         2.2.5-6    GNU C Library: Shared libraries an
ii  libsnmp4.2                    4.2.5-1    NET SNMP (Simple Network Managemen
ii  libssl0.9.6                   0.9.6c-2   SSL shared libraries
ii  libstdc++2.10-glibc2.2        1:2.95.4-9 The GNU stdc++ library




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 147430@bugs.debian.org (full text, mbox):

From: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
To: 'Mark Purcell' <msp@debian.org>, "'147430@bugs.debian.org'" <147430@bugs.debian.org>, debian-bugs-dist@lists.debian.org, hpoj-devel@lists.sourceforge.net
Cc: hpoj@packages.qa.debian.org
Subject: RE: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licens ing modification (GPL)
Date: Tue, 21 May 2002 20:40:09 -0400
Mark Purcell wrote:
> However the current CVS version of hpoj can[1] also be built 
> linked against 
> OpenSSL (libcrypto) which maybe precluded under the 
> GPL, unless the hpoj licensing terms include a disclamer:
> 
> http://www.openssl.org/support/faq.html#LEGAL2
> 
> Would you be happy to include the following clause in the hpoj
> LICENSE. 
> 
> "This program is released under the GPL with the additional
>    exemption that compiling, linking, and/or using OpenSSL is 
> allowed."

Hi, Mark.  While I don't object to linking with OpenSSL in the manner it's
currently done with hpoj (to satistify a libsnmp dependency, where OpenSSL
doesn't actually have any linkages into the hpoj code), I'm concerned that
the suggested exception statement is overly broad, because it doesn't
sufficiently define exactly what "OpenSSL" is.  For example, what if
somebody wrote some proprietary code, called it "OpenSSL" (even if it had
nothing to do with what you and I know to be "OpenSSL"), and linked it
extensively with hpoj code, effectively treating hpoj as if it were LGPL?
Although that might seem far-fetched, I have to look out for such
possibilities, because one of the points I made when working with my
management to GPL-release the MLC/1284.4 code in ptal-mlcd (originally
developed for HP JetDirect firmware) was that for all practical purposes the
GPL prevents a competitor from taking that code and linking it with
proprietary firmware of a competing print-server product.

> [1] I'm not quite sure why, because they seem to build fully 
> functional 
> without OpenSSL support as well, but as they can be built 
> linked against OpenSSL this query arises.
> 
> $ ldd /usr/bin/ptal-hp
> 	libptal.so.0 => /usr/lib/libptal.so.0 (0x40023000)
> 	libc.so.6 => /lib/libc.so.6 (0x4002f000)
> 	libsnmp-0.4.2.so => /usr/lib/libsnmp-0.4.2.so (0x4014d000)
> 	libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x401a6000)
> 	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> 	libdl.so.2 => /lib/libdl.so.2 (0x40267000)

Most hpoj executables (other than hpoijip-test and ptal-mlcd) depend on
libptal.  If you build with SNMP (needed for full JetDirect support), then
libptal in turn depends on libsnmp.  In some cases, libsnmp also depends on
libcrypto, but for some annoying reason libsnmp doesn't get linked with the
"-lcrypto" switch, meaning that I had to link libptal with "-lcrypto".  This
is the case regardless of whether you're using hpoj-0.8 or the latest CVS
code.

What is the source of GPL incompatibility with OpenSSL in the first place?
Is it patent-encumbered code (which I would expect Debian to disable) or the
old-BSD-style-license "advertising clause"?

David



Information forwarded to debian-bugs-dist@lists.debian.org, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Wed, 22 May 2002 21:00:29 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 22 May 2002 10:40, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> Mark Purcell wrote:
> > OpenSSL (libcrypto) which maybe precluded under the
> > GPL, unless the hpoj licensing terms include a disclamer:
> > http://www.openssl.org/support/faq.html#LEGAL2

> Hi, Mark.  While I don't object to linking with OpenSSL in the manner it's
> currently done with hpoj (to satistify a libsnmp dependency, where OpenSSL
> doesn't actually have any linkages into the hpoj code), I'm concerned that
> the suggested exception statement is overly broad, because it doesn't
> sufficiently define exactly what "OpenSSL" is.

Hi David,

I took that suggestion straight from the OpenSSL webpage.  I would be happy 
for you to define OpenSSL as you see fit.  I guess you could say something 
along the lines of 'as found at http://www.openssl.org' or give a specific 
library version number and soname.  It's really up to HP, and you as their 
agent, as the HPOJ copyright holder.

>  For example, what if
> somebody wrote some proprietary code, called it "OpenSSL" (even if it had
> nothing to do with what you and I know to be "OpenSSL"), and linked it
> extensively with hpoj code, effectively treating hpoj as if it were LGPL?
> Although that might seem far-fetched, I have to look out for such
> possibilities, ....

Oh I agree totally.  This is about maintaining your intent as this is your 
software. However by the letter of the GPL no one is currently allowed to 
link OpenSSL with hpoj as OpenSSL is not GPL compatible, to allow such 
linking requires express excemption from yourself. Debian is tightening up on 
packages which have these linkages to ensure that the original copyright 
conditions are maintained. Either way HPOJ will remain in Debian, it's just 
up to you as the HPOJ author if we link to OpenSSL or not.

> What is the source of GPL incompatibility with OpenSSL in the first place?
> Is it patent-encumbered code (which I would expect Debian to disable) or
> the old-BSD-style-license "advertising clause"?

You are right we have disabled the patent-encumbered code, otherwise OpenSSL 
wouldn't be in Debian at all!!  

According to http://www.openssl.org/support/faq.html#LEGAL2

'Some GPL software copyright holders claim that you infringe on their rights 
if you use OpenSSL with their software on operating systems that don't 
normally include OpenSSL. 

If you develop open source software that uses OpenSSL, you may find it useful 
to choose an other license than the GPL, or state explicitly that "This 
program is released under the GPL with the additional exemption that 
compiling, linking, and/or using OpenSSL is allowed." If you are using GPL 
software developed by others, you may want to ask the copyright holder for 
permission to use their software with OpenSSL.'

We had a fairly long discussion and determined that Debian 'doesn't normally 
include OpenSSL' so we are covered by the condition above.

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE863ploCzanz0IthIRAnMdAKCRHKss7sMyJzACDnxm7z8obsoFFACgjUlR
g3t4CEooC/KIKn+vJjMk9tw=
=9rhH
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 147430@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: Mark Purcell <msp@debian.org>
Cc: "PASCHAL,DAVID " "(HP-Roseville,ex1)" <david_paschal@hp.com>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: 22 May 2002 09:11:22 -0500
On Wed, 2002-05-22 at 06:00, Mark Purcell wrote:
> On Wed, 22 May 2002 10:40, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> > Hi, Mark.  While I don't object to linking with OpenSSL in the manner it's
> > currently done with hpoj (to satistify a libsnmp dependency, where OpenSSL
> > doesn't actually have any linkages into the hpoj code), I'm concerned that
> > the suggested exception statement is overly broad, because it doesn't
> > sufficiently define exactly what "OpenSSL" is.
> 
> I took that suggestion straight from the OpenSSL webpage.  I would be happy 
> for you to define OpenSSL as you see fit.  I guess you could say something 
> along the lines of 'as found at http://www.openssl.org' or give a specific 
> library version number and soname.  It's really up to HP, and you as their 
> agent, as the HPOJ copyright holder.

Unfortunately, the OpenSSL webpages and FAQs on the licensing question
say lots of things, some of which may be true.  I'm not familiar with
the exact text of the site (I've heard lots of different versions), but
at least some of their opinions on the licenses are not shared by the
Debian project.

If you are looking for a sample license statement that has been
considered to be good, you might want to look at the license that the
authors of CUPS are planning to use.  A copy can currently be found at
http://www.cups.org/new-license.html.  It has additional rights you
probably aren't interested in; the main salient points are that it
describes as exactly as possible what exceptions to the GPL are allowed,
and it allows third parties to strip out the exceptions so the code can
be linked to straight-GPLed code without such exceptions.

Of course, it doesn't explain what "the OpenSSL Toolkit" is much better
than the proposed text does, so you will probably want to modify that.

> > What is the source of GPL incompatibility with OpenSSL in the first place?
> > Is it patent-encumbered code (which I would expect Debian to disable) or
> > the old-BSD-style-license "advertising clause"?
> 
> You are right we have disabled the patent-encumbered code, otherwise OpenSSL 
> wouldn't be in Debian at all!!  
> 
> According to http://www.openssl.org/support/faq.html#LEGAL2
> 
> 'Some GPL software copyright holders claim that you infringe on their rights 
> if you use OpenSSL with their software on operating systems that don't 
> normally include OpenSSL. 
> 
> If you develop open source software that uses OpenSSL, you may find it useful 
> to choose an other license than the GPL, or state explicitly that "This 
> program is released under the GPL with the additional exemption that 
> compiling, linking, and/or using OpenSSL is allowed." If you are using GPL 
> software developed by others, you may want to ask the copyright holder for 
> permission to use their software with OpenSSL.'
> 
> We had a fairly long discussion and determined that Debian 'doesn't normally 
> include OpenSSL' so we are covered by the condition above.

Actually, I believe this is inaccurate.  It may have been accurate in
the past, but it definitely is not any longer.

The problems between OpenSSL and the GPL are twofold:

 - the old BSD advertising clause

 - the clause in the OpenSSL license which reads:

"The licence and distribution terms for any publically available version
or derivative of this code cannot be changed.  i.e. this code cannot
simply be copied and put under another distribution licence [including
the GNU Public Licence.]"

This clause appears to forbid binary linking under the GPL section 2 (as
invoked by section 3).

We do consider Debian to be bound by this; specifically, OpenSSL is now
out of non-us/main and in main, so it most definitely "normally includes
OpenSSL".

David, I'm glad you're willing to work with us.  If you have any other
questions, please let us know, and we'll help you as best we can.




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Simon Law <sfllaw@engmail.uwaterloo.ca>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 147430@bugs.debian.org (full text, mbox):

From: Simon Law <sfllaw@engmail.uwaterloo.ca>
To: Jeff Licquia <licquia@debian.org>
Cc: Mark Purcell <msp@debian.org>, "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Wed, 22 May 2002 10:30:32 -0400 (EDT)
On 22 May 2002, Jeff Licquia wrote:
> If you are looking for a sample license statement that has been
> considered to be good, you might want to look at the license that the
> authors of CUPS are planning to use.  A copy can currently be found at
> http://www.cups.org/new-license.html.  It has additional rights you
> probably aren't interested in; the main salient points are that it
> describes as exactly as possible what exceptions to the GPL are allowed,
> and it allows third parties to strip out the exceptions so the code can
> be linked to straight-GPLed code without such exceptions.
> 
> Of course, it doesn't explain what "the OpenSSL Toolkit" is much better
> than the proposed text does, so you will probably want to modify that.

	Please use the official GNU sanctioned statement.  It highlights
that you shouldn't modify the GPL, and it also provides good
boilerplate; so you don't have to make up your own.

	http://www.gnu.org/licenses/gpl-faq.html#WritingFSWithNFLibs

Simon




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Horn <mark-dated-1022690074.afc032@hornclan.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #30 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Horn <mark-dated-1022690074.afc032@hornclan.com>
To: Mark Purcell <msp@debian.org>
Cc: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: [hpoj-devel] Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Wed, 22 May 2002 12:34:33 -0400
On Wed, May 22, 2002 at 09:00:29PM +1000, Mark Purcell wrote:
>However by the letter of the GPL no one is currently allowed to 
>link OpenSSL with hpoj as OpenSSL is not GPL compatible, to allow such 
>linking requires express excemption from yourself. 

Correct me if I'm wrong, but the GPL says that no one can *release*
a copy of hpoj linked to OpenSSL.  They can certainly use hpoj linked
to OpenSSL.  Of course, that doesn't help you as the guy who is trying
to package up hpoj for debian.  But if I want to link hpoj to OpenSSL,
there's nothing in my reading of the GPL that prevents me.  I simply
can't release any such code to anyone else.

Or have I misread the GPL?

Cheers,
- Mark



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #35 received at 147430@bugs.debian.org (full text, mbox):

From: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
To: 'Simon Law' <sfllaw@engmail.uwaterloo.ca>, Jeff Licquia <licquia@debian.org>, 'Mark Horn' <mark-dated-1022690074.afc032@hornclan.com>
Cc: Mark Purcell <msp@debian.org>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: RE: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: Thu, 23 May 2002 22:47:20 -0400
Simon Law wrote:
> 	Please use the official GNU sanctioned statement.  It highlights
> that you shouldn't modify the GPL, and it also provides good
> boilerplate; so you don't have to make up your own.
> 
> 	http://www.gnu.org/licenses/gpl-faq.html#WritingFSWithNFLibs
Thanks to everyone for the information.  I will probably need to consult
with our attorney and several others to make sure that whatever I use (even
if it's the FSF template) properly addresses my concerns and doesn't create
any undesired loopholes.  In the meantime, informally I don't object if you
continue to link with libcrypto to satisfy libsnmp's dependency on
libcrypto, but if that's not sufficient then you can always temporarily
disable hpoj's SNMP support until I can supply an appropriate formal license
exception statement.  (I don't suppose there's a way to link with libsnmp
but not libcrypto?)

Jeff Licquia wrote:
>  - the clause in the OpenSSL license which reads:
> 
> "The licence and distribution terms for any publically 
> available version
> or derivative of this code cannot be changed.  i.e. this code cannot
> simply be copied and put under another distribution licence [including
> the GNU Public Licence.]"
> 
> This clause appears to forbid binary linking under the GPL 
> section 2 (as
> invoked by section 3).
> 
> We do consider Debian to be bound by this; specifically, 
> OpenSSL is now
> out of non-us/main and in main, so it most definitely 
> "normally includes OpenSSL".
But if Debian "most definitely 'normally includes OpenSSL'", then doesn't
that make this issue irrelevant?  Or do OpenSSL's advertising and anti-GPL
clauses override the normal-inclusion condition?

Mark Horn wrote:
> Correct me if I'm wrong, but the GPL says that no one can *release*
> a copy of hpoj linked to OpenSSL.  They can certainly use hpoj linked
> to OpenSSL.  Of course, that doesn't help you as the guy who is trying
> to package up hpoj for debian.  But if I want to link hpoj to OpenSSL,
> there's nothing in my reading of the GPL that prevents me.  I simply
> can't release any such code to anyone else.
You are correct.  The GPL doesn't restrict your own use of software; it
merely sets the conditions for copying (distributing) software (with or
without modifications), which by default isn't allowed under copyright law.
The question of whether linking with OpenSSL requires special permission
from me only comes into play if you distribute binaries rather than have the
recipient compile the source code for him/herself and generate the
questioned linkage.

David



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Jeff Licquia <licquia@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #40 received at 147430@bugs.debian.org (full text, mbox):

From: Jeff Licquia <licquia@debian.org>
To: "PASCHAL,DAVID " "(HP-Roseville,ex1)" <david_paschal@hp.com>
Cc: 'Simon Law' <sfllaw@engmail.uwaterloo.ca>, 'Mark Horn' <mark-dated-1022690074.afc032@hornclan.com>, Mark Purcell <msp@debian.org>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: RE: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: 24 May 2002 00:30:38 -0500
On Thu, 2002-05-23 at 21:47, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> Thanks to everyone for the information.  I will probably need to consult
> with our attorney and several others to make sure that whatever I use (even
> if it's the FSF template) properly addresses my concerns and doesn't create
> any undesired loopholes.  In the meantime, informally I don't object if you
> continue to link with libcrypto to satisfy libsnmp's dependency on
> libcrypto, but if that's not sufficient then you can always temporarily
> disable hpoj's SNMP support until I can supply an appropriate formal license
> exception statement.  (I don't suppose there's a way to link with libsnmp
> but not libcrypto?)

Hmm... Debian is releasing imminently.  Normally I would think we
wouldn't need to act until things are all cleared up, but the status quo
is about to be immortalized.  I don't know if that changes things.

My gut reaction is to trust that you (David) are a reasonable person,
seeing as how you've been forthright so far, and will intentionally
refuse to take advantage of our situation.  Should you suddenly
metamorphize into an ogre, however, we do have the legal recourse of
quickly doing a point release of woody without linking to libsnmp; since
we brought up the problem, it's hard to imagine a court accusing Debian
of acting in bad faith, so it would seem difficult to fall under any
real liability.

> Jeff Licquia wrote:
> > We do consider Debian to be bound by this; specifically, 
> > OpenSSL is now
> > out of non-us/main and in main, so it most definitely 
> > "normally includes OpenSSL".
> But if Debian "most definitely 'normally includes OpenSSL'", then doesn't
> that make this issue irrelevant?  Or do OpenSSL's advertising and anti-GPL
> clauses override the normal-inclusion condition?

The problematic section of the GPL reads as follows (section 3):

"However, as a special exception, the source code distributed need not
include anything that is normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of
the operating system on which the executable runs, unless that component
itself accompanies the executable."

So, we're fine because OpenSSL is normally distributed with Debian,
except that hpoj is also normally distributed with Debian, which means
that "that component itself [OpenSSL] accompanies the executable
[hpoj]", which means that we're not fine.

It would seem that you are the victim of success. :-)

> Mark Horn wrote:
> > Correct me if I'm wrong, but the GPL says that no one can *release*
> > a copy of hpoj linked to OpenSSL.  They can certainly use hpoj linked
> > to OpenSSL.  Of course, that doesn't help you as the guy who is trying
> > to package up hpoj for debian.  But if I want to link hpoj to OpenSSL,
> > there's nothing in my reading of the GPL that prevents me.  I simply
> > can't release any such code to anyone else.
> You are correct.  The GPL doesn't restrict your own use of software; it
> merely sets the conditions for copying (distributing) software (with or
> without modifications), which by default isn't allowed under copyright law.
> The question of whether linking with OpenSSL requires special permission
> from me only comes into play if you distribute binaries rather than have the
> recipient compile the source code for him/herself and generate the
> questioned linkage.

This is the way Debian sees it as well.  We do distribute binaries, so
we have lots of restrictions placed on us that aren't there for users.

With less cooperative upstream authors, we actually distribute "binary"
packages which do nothing but install the source code and provide easy
hooks for the user to build and install the actual binaries.  See, for
example, "qmail-src" in Debian's non-free archive.

I don't believe we've ever needed to do this with GPLed code, however;
most licensing problems there seem to be easily resolvable.




Information forwarded to debian-bugs-dist@lists.debian.org, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #45 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: Jeff Licquia <licquia@debian.org>, David Paschal <david_paschal@hp.com>, libsnmp4.2@packages.debian.org
Cc: 'Simon Law' <sfllaw@engmail.uwaterloo.ca>, 'Mark Horn' <mark-dated-1022690074.afc032@hornclan.com>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: Fri, 24 May 2002 18:06:13 +1000
On Fri, May 24, 2002 at 12:30:38AM -0500, Jeff Licquia wrote:
> On Thu, 2002-05-23 at 21:47, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> > Thanks to everyone for the information.  I will probably need to consult
> > with our attorney and several others to make sure that whatever I use (even
> > if it's the FSF template) properly addresses my concerns and doesn't create
> > any undesired loopholes.  In the meantime, informally I don't object if you
> > continue to link with libcrypto to satisfy libsnmp's dependency on
> > libcrypto, but if that's not sufficient then you can always temporarily
> > disable hpoj's SNMP support until I can supply an appropriate formal license
> > exception statement.  (I don't suppose there's a way to link with libsnmp
> > but not libcrypto?)
> 
> Hmm... Debian is releasing imminently.  Normally I would think we
> wouldn't need to act until things are all cleared up, but the status quo
> is about to be immortalized.  I don't know if that changes things.

Actually it doesn't change things.  Hpoj in woody isn't linked against
OpenSSL so it doesn't have this problem, when woody becomes the stable
release, Debian is fine as far as HPOJ licencing issues go.

I suppose I should of spelt this out for debian-legal.  What I'm actually
talking about is getting the licencing sorted out for the next release of
hpoj to go into unstable (sid), so from that side there is no rush for HP
to resolve the licence, just as long as it is being progressed within HP.

For David Engle. Is there a way to link with libsnmp but not libcrypto?

Mark



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to David Paschal <paschal@rcsis.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #50 received at 147430@bugs.debian.org (full text, mbox):

From: David Paschal <paschal@rcsis.com>
To: Jeff Licquia <licquia@debian.org>
Cc: "'Simon Law'" <sfllaw@engmail.uwaterloo.ca>, Mark Purcell <msp@debian.org>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, paschal@rcsis.com, libsnmp4.2@packages.debian.org
Subject: Re: [hpoj-devel] RE: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: Mon, 27 May 2002 03:25:51 -0700
Jeff Licquia wrote:
> My gut reaction is to trust that you (David) are a reasonable person,
> seeing as how you've been forthright so far, and will intentionally
> refuse to take advantage of our situation.  Should you suddenly
> metamorphize into an ogre, however, we do have the legal recourse of
> quickly doing a point release of woody without linking to libsnmp; since
> we brought up the problem, it's hard to imagine a court accusing Debian
> of acting in bad faith, so it would seem difficult to fall under any
> real liability.
I trust you will find me to be a very reasonable person.  Besides, I
would effectively be shooting myself in the foot if I were to force you
to remove the libsnmp linkage and disable full JetDirect support, since
my "real" job at HP is JetDirect firmware development.  :-)

> The problematic section of the GPL reads as follows (section 3):
> 
> "However, as a special exception, the source code distributed need not
> include anything that is normally distributed (in either source or
> binary form) with the major components (compiler, kernel, and so on) of
> the operating system on which the executable runs, unless that component
> itself accompanies the executable."
> 
> So, we're fine because OpenSSL is normally distributed with Debian,
> except that hpoj is also normally distributed with Debian, which means
> that "that component itself [OpenSSL] accompanies the executable
> [hpoj]", which means that we're not fine.
> 
> It would seem that you are the victim of success. :-)
Ah yes, the devil's in the details, in this case, the exception to the
exception!  :-)

Mark Purcell wrote:
> Actually it doesn't change things.  Hpoj in woody isn't linked against
> OpenSSL so it doesn't have this problem, when woody becomes the stable
> release, Debian is fine as far as HPOJ licencing issues go.
...
> For David Engle. Is there a way to link with libsnmp but not libcrypto?
Are you absolutely sure that going from hpoj-0.8 to the CVS version is
what caused libcrypto to start getting linked in, and not a change in
libsnmp that added the necessity to link with libcrypto?  Both versions
have the capability to link libptal with libcrypto if necessary, and
although I did make some changes in how that necessity is detected, I
just now double-checked configure.in from CVS and verified that it first
attempts to link with libsnmp without libcrypto before it tries to link
with libcrypto.

David




Information forwarded to debian-bugs-dist@lists.debian.org, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #55 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: David Paschal <paschal@rcsis.com>
Cc: "'Simon Law'" <sfllaw@engmail.uwaterloo.ca>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, libsnmp4.2@packages.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: Mon, 27 May 2002 22:58:08 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 27 May 2002 20:25, David Paschal wrote:
> Are you absolutely sure that going from hpoj-0.8 to the CVS version is
> what caused libcrypto to start getting linked in, and not a change in
> libsnmp that added the necessity to link with libcrypto?  Both versions
> have the capability to link libptal with libcrypto if necessary, and
> although I did make some changes in how that necessity is detected, I
> just now double-checked configure.in from CVS and verified that it first
> attempts to link with libsnmp without libcrypto before it tries to link
> with libcrypto.

It wasn't the switch in hpoj from 0.8 to CVS which caused libcrypto to start 
getting linked in rather it was a change in the Debian supplied libsnmp:

ucd-snmp (4.2.4-1) unstable; urgency=low

  * New upstream version.
  * Rebuilt with SSL since cryto can now go in main.
  * Explicitly use bash for the fixman script (closes:133652).
  * Don't use LD_RUN_PATH in perl/SNMP.so.
  * Fixed parsing of "-p udp:" in snmpd (closes:141176).

 -- David Engel <david@debian.org>  Tue, 23 Apr 2002 20:50:25 -0500

This change in the snmp package isn't included in the woody (testing) release, 
thus all (most) the packages in woody such as hpoj which depend on libsnmp 
don't link in libcrypto.

The new sid (unstable) release snmp package has been rebuilt with SSL as shown 
above thus packages which depend on libsnmp also end up with the libcrypto 
dependancy.

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE88i15oCzanz0IthIRAlVEAJ4o9SAr54JgoRusxaEKsBewaiH46gCeK9Km
QPW7EedJHDSPmIX4pUg6TnU=
=CgBR
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #60 received at 147430@bugs.debian.org (full text, mbox):

From: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
To: 'Mark Purcell' <msp@debian.org>, Jeff Licquia <licquia@debian.org>
Cc: 'Simon Law' <sfllaw@engmail.uwaterloo.ca>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: RE: Bug#147430: hpoj: Linking against OpenSSL licensing modificat ion (GPL)
Date: Thu, 20 Jun 2002 22:07:40 -0400
Mark Purcell wrote:
> What I'm actually
> talking about is getting the licencing sorted out for the 
> next release of
> hpoj to go into unstable (sid), so from that side there is no 
> rush for HP
> to resolve the licence, just as long as it is being 
> progressed within HP.

Hi, Mark and everyone else.  At a status update, I met with our attorney
this afternoon and explained everything.  He understands the issue and said
he would get back to me within the next couple of weeks with a recommended
license-exception statement.  It may take a similar form to the FSF's
recommendation but spell out the exact license used by OpenSSL (stored in a
separate file in the hpoj package) for purposes of identifying OpenSSL.  It
may turn out to be broader than I would have preferred, but anything
narrower may end up being extremely hard to define adequately.  I'll let you
know when I find out more.

Since for various reasons I'm trying hard to release hpoj-0.90 by the end of
July, what are the long-term implications if for whatever reason this issue
isn't resolved by then and I have to release 0.90 without the special
exception for OpenSSL?  Will it be sufficient for me to subsequently update
the license statements in CVS and generate a corresponding patch which you
can apply to your 0.90 package in unstable (preferable), or would I have to
release a whole new tarball with a different version number (not
preferable)?  I don't think this will happen, but I'd like to have a
reasonable contingency plan in place anyway.

Thanks for your continued patience.

David



Information forwarded to debian-bugs-dist@lists.debian.org, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #65 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Mon, 24 Jun 2002 23:24:55 +1000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 21 Jun 2002 12:07, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> Since for various reasons I'm trying hard to release hpoj-0.90 by the end
> of July, what are the long-term implications if for whatever reason this
> issue isn't resolved by then and I have to release 0.90 without the special
> exception for OpenSSL?  

We are quite flexable in how we handle the licensing issues for HPOJ. The 
important thing is to get your/HP's intent documented.

> Will it be sufficient for me to subsequently update
> the license statements in CVS and generate a corresponding patch which you
> can apply to your 0.90 package in unstable (preferable), or would I have to
> release a whole new tarball with a different version number (not
> preferable)?  

I doubt a new tarball would be required.  In fact an email from you to either 
hpoj-devel and/or 147430@bugs.debian.org is probably sufficient as if you 
make your intent clear in public forum, then your intent is clear and Debian 
will act accordingly.

> Thanks for your continued patience.

No problem David.  There isn't a critical timeline on this, especially since 
HP are progressing this. The bugs.debian.org archive shows clearly that there 
is progress so we are quite happy.

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9Fx3CoCzanz0IthIRAlESAJ9eqzMNaZLFy6IWwFEajzHH4i43CgCfdPRK
ZVnWBKDlMGzP1CbwWWLYAJE=
=YERY
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Horn <mark-dated-1025533611.acac04@hornclan.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #70 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Horn <mark-dated-1025533611.acac04@hornclan.com>
To: Mark Purcell <msp@debian.org>
Cc: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: [hpoj-devel] Re: Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Mon, 24 Jun 2002 10:26:50 -0400
On Mon, Jun 24, 2002 at 11:24:55PM +1000, Mark Purcell wrote:
>I doubt a new tarball would be required.  In fact an email from you to either 
>hpoj-devel and/or 147430@bugs.debian.org is probably sufficient as if you 
>make your intent clear in public forum, then your intent is clear and Debian 
>will act accordingly.

As a debian & hpoj user, I'd also like to see something in the LICENSE
file that comes with the source code, so that it's clear that whatever
the wording is that enables debian to link hpoj with OpenSSL and then
redistribute hpoj, that this exception is not exclusively provided for
debian, but for anyone who downloads hpoj.

It is my understanding that this is part of the Debian Free Software
Guidelines (DFSG).  So if the exception is given exclusively to debian,
it won't meet debian's requirements.  But IANAL and I don't play one on
TV, so someone please step in who knows better.

Cheers,
- Mark



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #75 received at 147430@bugs.debian.org (full text, mbox):

From: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
To: 'Mark Horn' <mark-dated-1025533611.acac04@hornclan.com>, Mark Purcell <msp@debian.org>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: RE: [hpoj-devel] Re: Bug#147430: hpoj: Linking against OpenSSL li censing modification (GPL)
Date: Mon, 24 Jun 2002 12:41:41 -0700
Mark Horn wrote:
> As a debian & hpoj user, I'd also like to see something in the LICENSE
> file that comes with the source code, so that it's clear that whatever
> the wording is that enables debian to link hpoj with OpenSSL and then
> redistribute hpoj, that this exception is not exclusively provided for
> debian, but for anyone who downloads hpoj.
Once the wording is finalized my intention is to apply the exception
statement to each *.[ch] file which can potentially be linked with OpenSSL,
and not to those files which are not normally linked with OpenSSL (namely
the source files to ptal-mlcd, which doesn't use SNMP).  For clarity I will
also add it to the LICENSE file and to the license statement at
http://hpoj.sourceforge.net/download.shtml, but state that it applies to
some but not all files in the package.  Since HP doesn't own the copyright
on xojpanel I'll need to get approval from its copyright holders (Joe
Piolunek and Andreas Fester) before applying the statement to its source
files.

David



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #80 received at 147430@bugs.debian.org (full text, mbox):

From: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
To: 'Mark Purcell' <msp@debian.org>, 'Joe Piolunek' <joe.piolunek@snet.net>, "'fes@ep-ag.com'" <fes@ep-ag.com>, "'Andreas.Fester@gmx.de'" <Andreas.Fester@gmx.de>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: RE: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licens ing modificat ion (GPL)
Date: Mon, 22 Jul 2002 20:05:10 -0700
Hi.  After some back-and-forth discussion with our attorney, I would like to
propose the following OpenSSL exception statement to be applied to the
HP-copyrighted portion of the hpoj code which needs this (libptal and the
libraries and applications that link to it, but not ptal-mlcd):

  In addition, as a special exception, Hewlett-Packard Company
  gives permission to link the code of this program with any
  version of the OpenSSL library which is distributed under a
  license identical to that listed in the included COPYING.OpenSSL
  file, and distribute linked combinations including the two.
  You must obey the GNU General Public License in all respects
  for all of the code used other than OpenSSL.  If you modify
  this file, you may extend this exception to your version of the
  file, but you are not obligated to do so.  If you do not wish to
  do so, delete this exception statement from your version.

I would then include the entire OpenSSL license in the file
"COPYING.OpenSSL" in the hpoj package.  Mark, please forward the LICENSE
file distributed with the OpenSSL version that Debian provides, so I can
make sure it's truly "identical" to what I think it is.  Hopefully they
don't change the wording of their license on a regular basis.  :-)

I would apply a slightly different statement to the LICENSE file, which
indicates that the exception only applies to certain source files in the
package, and at the end stating, "If you delete the exception statement from
all source files in the package, then also delete it here."

xojpanel is the only non-HP component in the hpoj package which needs an
OpenSSL exception statement.  For xojpanel, I would like to propose use of
the "standard" FSF exception template from
"http://www.gnu.org/licenses/gpl-faq.html#WritingFSWithNFLibs", unless
Andreas and Joe would really prefer the above version:

  In addition, as a special exception, Andreas Fester and Joe
  Piolunek give permission to link the code of this program with the
  OpenSSL library (or with modified versions of OpenSSL that use the
  same license as OpenSSL), and distribute linked combinations including
  the two.  You must obey the GNU General Public License in all
  respects for all of the code used other than OpenSSL.  If you modify
  this file, you may extend this exception to your version of the
  file, but you are not obligated to do so.  If you do not wish to
  do so, delete this exception statement from your version.

I'm proposing this alternative for xojpanel because it's more "standard"
(FSF-recommended), and to avoid my having to go back and get everybody's
permission again if I need to update the LICENSE.OpenSSL to reflect license
changes in the upstream OpenSSL.  For all practical purposes, the least
permissive notions from both versions would have to be satisfied for
xojpanel, since it links to libptal, and that might provide a small form of
"insurance policy" in case one of the two forms ends up with an undesirably
permissive loophole.

Is this solution OK for everybody?  Andreas and Joe, I'll need approval from
both of you in to go ahead with adding this to the xojpanel source code.
Also Andreas, what exact copyright statement do you want made on your behalf
there?  Currently as exemplified by
"http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/hpoj/hpoj/apps/xojpanel/xojp
anel.cpp?rev=1.6&content-type=text/vnd.viewcvs-markup" it says "Copyright
(C) circa 1998 Andreas Fester".  If nothing else I would suggest removing
the word "circa", and looking back at the timestamps in the old tarballs it
appears that xojpanel made its debut in version 0.2 with source files dated
November 18, 1999, so your copyright year may need to be changed to 1999.

In case I don't hear from Andreas (who seems to have been very quiet lately)
or Joe within the next few days, then I will release hpoj-0.90 with the
exception statement applied only to the HP-copyrighted code as described
above.  Later after I've gotten approval from both of them I will post a
patch on the hpoj website that amends the license statement accordingly.

David



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Branden Robinson <branden@debian.org>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #85 received at 147430@bugs.debian.org (full text, mbox):

From: Branden Robinson <branden@debian.org>
To: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
Cc: 'Mark Purcell' <msp@debian.org>, 'Joe Piolunek' <joe.piolunek@snet.net>, "'fes@ep-ag.com'" <fes@ep-ag.com>, "'Andreas.Fester@gmx.de'" <Andreas.Fester@gmx.de>, 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licens ing modificat ion (GPL)
Date: Tue, 23 Jul 2002 00:18:50 -0500
[Message part 1 (text/plain, inline)]
[sorry for the broad CC]

On Mon, Jul 22, 2002 at 08:05:10PM -0700, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> Is this solution OK for everybody?

I see nothing objectionable from a DFSG perspective in the language you
have proposed.

Thanks for working on this issue!

-- 
G. Branden Robinson                |    I just wanted to see what it looked
Debian GNU/Linux                   |    like in a spotlight.
branden@debian.org                 |    -- Jim Morrison
http://people.debian.org/~branden/ |
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Mark Purcell <msp@debian.org>:
Extra info received and forwarded to list. Copy sent to hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #90 received at 147430@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: "PASCHAL,DAVID (HP-Roseville,ex1)" <david_paschal@hp.com>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licens ing modificat ion (GPL)
Date: Tue, 23 Jul 2002 18:37:05 +1000
On Mon, Jul 22, 2002 at 08:05:10PM -0700, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> please forward the LICENSE
> file distributed with the OpenSSL version that Debian provides, so I can
> make sure it's truly "identical" to what I think it is.  Hopefully they
> don't change the wording of their license on a regular basis.  :-)

David,

The debian-legal team have replied seperatly so I think we are happy from
a Debian GNU/Linux perspective.

Mark

From /usr/share/doc/libssl-dev/copyright

This package was debianized by Christoph Martin martin@uni-mainz.de on
Fri, 22 Nov 1996 21:29:51 +0100.


  LICENSE ISSUES
  ==============

  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
  the OpenSSL License and the original SSLeay license apply to the toolkit.
  See below for the actual license texts. Actually both licenses are BSD-style
  Open Source licenses. In case of any license issues related to OpenSSL
  please contact openssl-core@openssl.org.

  OpenSSL License
  ---------------

/* ====================================================================
 * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

 Original SSLeay License
 -----------------------

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to David Paschal <paschal@rcsis.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #95 received at 147430@bugs.debian.org (full text, mbox):

From: David Paschal <paschal@rcsis.com>
To: Andreas Fester <Andreas.Fester@eigner.com>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, paschal@rcsis.com, debian-legal@lists.debian.org, Mark Purcell <msp@debian.org>
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Wed, 24 Jul 2002 04:25:14 -0700
Hi, Andreas.  Thanks for your quick response, and I apologize again for
phoning you at work.  :-)  Thanks for your comments about the progress
of the project, and I'm sure you'll find the next version (0.90) to be
even better, especially in the area of scanning support.  Thanks also
to Roger, Gerhard, and you for starting the project in the first place,
which proved valuable to show to my management as justification for
getting involved in this effort.

Thanks for giving permission for the license change.  If it's OK with
you, my preference would be to remove your name altogether from the
copyright notice, since Joe has replaced nearly all of your code anyway.
This is certainly not meant for de-motivation purposes, but rather so
I won't have to try to track you down again if we ever need to make
another license change.

I'm CCing again the addresses for the Debian bug-tracker (where this
issue originated) and the debian-legal mailing lists.  For now please
"reply to all" for any replies to this matter until it's closed.

Thanks,
David


Andreas Fester wrote:
> Hi,
> 
> First of all I would like to express my contentment on
> how the project Roger, Gerhard and I started four years ago
> has evolved during the last years. David and all the other contributors
> have done a great job, and although I am not currently active in the
> project I am still listening to the mailing lists. I also installed
> the hpoj package some time ago on my SuSE 7.3 distribution, and was
> amazed how easy it was to integrate it into the system.
> 
> Regarding the license issue below, I do not see any problem to proceed
> as David suggested and Joe agreed with.
> I also saw the "circa" copyright statement when I installed the package,
> but as Joe says there is not really much code remaining which originates
> from me. You could just remove the circa statement as proposed, or also
> remove the complete line. (If the line itself remains in the file, I
> probably might be more motivated to re-engage myself again in the 
> project ;-) )
> 
> Thanks,
> 
> 	Andreas
> 
> Joe Piolunek wrote:
> 
> > On Monday 22 July 2002 11:05 pm, PASCHAL,DAVID (HP-Roseville,ex1) wrote:
> > <...>
> > 
> >>xojpanel is the only non-HP component in the hpoj package which needs an
> >>OpenSSL exception statement.  For xojpanel, I would like to propose use of
> >>the "standard" FSF exception template from
> >>"http://www.gnu.org/licenses/gpl-faq.html#WritingFSWithNFLibs", unless
> >>Andreas and Joe would really prefer the above version:
> >>
> >>  In addition, as a special exception, Andreas Fester and Joe
> >>  Piolunek give permission to link the code of this program with the
> >>  OpenSSL library (or with modified versions of OpenSSL that use the
> >>  same license as OpenSSL), and distribute linked combinations including
> >>  the two.  You must obey the GNU General Public License in all
> >>  respects for all of the code used other than OpenSSL.  If you modify
> >>  this file, you may extend this exception to your version of the
> >>  file, but you are not obligated to do so.  If you do not wish to
> >>  do so, delete this exception statement from your version.
> >>
> >>I'm proposing this alternative for xojpanel because it's more "standard"
> >>(FSF-recommended), and to avoid my having to go back and get everybody's
> >>permission again if I need to update the LICENSE.OpenSSL to reflect license
> >>changes in the upstream OpenSSL.  For all practical purposes, the least
> >>permissive notions from both versions would have to be satisfied for
> >>xojpanel, since it links to libptal, and that might provide a small form of
> >>"insurance policy" in case one of the two forms ends up with an undesirably
> >>permissive loophole.
> >>
> >>Is this solution OK for everybody?  Andreas and Joe, I'll need approval from
> >>both of you in to go ahead with adding this to the xojpanel source code.
> >>
> > 
> > David:
> > 
> > I agree with the use of the FSF template, and specifically, your proposed 
> > wording as quoted above. You have my permission to add it. 
> > 
> > 
> >>Also Andreas, what exact copyright statement do you want made on your behalf
> >>there?  Currently as exemplified by
> >>"http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/hpoj/hpoj/apps/xojpanel/xojp
> >>anel.cpp?rev=1.6&content-type=text/vnd.viewcvs-markup" it says "Copyright
> >>(C) circa 1998 Andreas Fester".  If nothing else I would suggest removing
> >>the word "circa", and looking back at the timestamps in the old tarballs it
> >>appears that xojpanel made its debut in version 0.2 with source files dated
> >>November 18, 1999, so your copyright year may need to be changed to 1999.
> >>
> > 
> > I added the "circa 1998" copyright notice that refers to Andreas' 
> > contribution (if indeed it was his. I've been assuming Andreas did the 
> > original work, but found no specific copyright date/name included in the 
> > xojpanel files, so authorship may not be totally clear).  One reason for the 
> > addition was to avoid any appearance that I might be taking credit for 
> > originating the application.
> > 
> > Today, almost none of xojpanel's original code remains, but I do hope that 
> > Andreas (or the original author, if not Andreas) will agree to your plan, if 
> > only to avoid unnecessary problems. 
> 
> -- 
> Andreas Fester                         EIGNER
> Senior Software Engineer               Precision Lifecycle Management
> Phone : +(49) 721-6291-0               Ruschgraben 133
> Fax   : +(49) 721-6291-88              D-76139 Karlsruhe
> EMail : Andreas.Fester@eigner.com      http://www.eigner.com




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to David Paschal <paschal@rcsis.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #100 received at 147430@bugs.debian.org (full text, mbox):

From: David Paschal <paschal@rcsis.com>
To: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org
Cc: Mark Purcell <msp@debian.org>, David Paschal <paschal@rcsis.com>
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Thu, 25 Jul 2002 03:06:47 -0700
I have checked into CVS the license changes which explicitly allow
linking with OpenSSL.  If anybody would like to inspect these changes,
here are some sample files:

http://hpoj.sourceforge.net/hpoj-cvs/LICENSE
http://hpoj.sourceforge.net/hpoj-cvs/LICENSE.OpenSSL
http://hpoj.sourceforge.net/hpoj-cvs/apps/cmdline/ptal-connect.c
http://hpoj.sourceforge.net/hpoj-cvs/apps/xojpanel/xojpanel.cpp
http://hpoj.sourceforge.net/hpoj-cvs/apps/xojpanel/xojpanel.h

One potential problem I found was that lib/sane/saneopts.h, which I
copied from sane-backends for purposes of compiling the hpoj SANE
backend, has a pure GPL license.  It consists largely of string
#defines, and I don't know if it violates the GPL to link OpenSSL
with code which includes it.  Most of sane-backends contains a very
permissive exception permitting all sorts of otherwise-GPL-forbidden
linking, so I don't think the SANE folks would have a problem with
this, but I'm surprised they didn't apply it to this file as well.
If this matters to anybody, then please work with its copyright
holders to have the exception added to this file, and then I'll
pull down a new copy for a future hpoj version.

Let me know ASAP if there are any problems I need to fix before
releasing hpoj-0.90.  If nothing comes up then I plan to start the
release process approximately 12-24 hours from now.

Thanks for everybody's patience and cooperation in this matter.

David




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to Simon Law <sfllaw@engmail.uwaterloo.ca>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #105 received at 147430@bugs.debian.org (full text, mbox):

From: Simon Law <sfllaw@engmail.uwaterloo.ca>
To: David Paschal <paschal@rcsis.com>
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, Mark Purcell <msp@debian.org>
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Thu, 25 Jul 2002 08:14:37 -0400
On Thu, Jul 25, 2002 at 03:06:47AM -0700, David Paschal wrote:
> Let me know ASAP if there are any problems I need to fix before
> releasing hpoj-0.90.  If nothing comes up then I plan to start the
> release process approximately 12-24 hours from now.
> 
> Thanks for everybody's patience and cooperation in this matter.

	I've e-mailed RMS and this is what he had to say in 
http://lists.debian.org/debian-legal/2002/debian-legal-200207/msg00603.html

I see one possible flaw: if someone includes a different COPYING.OpenSSL
file, this notice would give permission for linking with something
under that replaced file.  I think that's a bug.  It needs to state
the OpenSSL license in some more reliable way.



Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to David Paschal <paschal@rcsis.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #110 received at 147430@bugs.debian.org (full text, mbox):

From: David Paschal <paschal@rcsis.com>
To: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, Mark Purcell <msp@debian.org>, Richard Stallman <rms@gnu.org>
Cc: David Paschal <paschal@rcsis.com>
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Thu, 25 Jul 2002 10:04:43 -0700
Richard Stallman wrote:
> I see one possible flaw: if someone includes a different COPYING.OpenSSL
> file, this notice would give permission for linking with something
> under that replaced file.  I think that's a bug.  It needs to state
> the OpenSSL license in some more reliable way.

Hi, Richard.  Thanks for the feedback.  Hopefully we can get this
resolved soon so I won't have to delay the new software release.

I grappled with this problem too, but in the end concluded that at least
it wasn't any more permissive than the statement recommended in the GPL
FAQ.  IMO it boils down to the question of how in general to prevent
somebody from modifying the license statement and hijacking one's code.
Here are some possible solutions that come to mind right away:

1. Add a statement to the top of the file LICENSE.OpenSSL saying that
since it was effectively an extension to the license statements in the
individual source files in the hpoj package, only the copyright holder(s)
of those source files (namely HP) may update the LICENSE.OpenSSL file.

2. Do away with LICENSE.OpenSSL altogether and change each exception
statement (at least in the HP-copyrighted files) to limit OpenSSL to
"those versions having a free but GPL-incompatible license as deemed
by the Free Software Foundation."

I would greatly prefer #1 if possible, because it means I only have to
change one file.  :-)  Also, #2 might be problematic with the lawyer,
who is already uncomfortable with the notion of automatically licensing
under all future versions of the GPL without being able to review them
first.  (For the record, I am in favor of the "GPL version 2 or (at
your option) any later version" provision.)

David




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to David Paschal <paschal@rcsis.com>:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #115 received at 147430@bugs.debian.org (full text, mbox):

From: David Paschal <paschal@rcsis.com>
To: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, Mark Purcell <msp@debian.org>, Richard Stallman <rms@gnu.org>
Cc: David Paschal <paschal@rcsis.com>
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Thu, 25 Jul 2002 11:12:48 -0700
I wrote:
> 1. Add a statement to the top of the file LICENSE.OpenSSL saying that
> since it was effectively an extension to the license statements in the
> individual source files in the hpoj package, only the copyright holder(s)
> of those source files (namely HP) may update the LICENSE.OpenSSL file.

Let me clarify that a bit.  I think this can be made to work by modifying
the top of http://hpoj.sourceforge.net/hpoj-cvs/LICENSE.OpenSSL
to say the following (without the leading angle brackets):

> Certain source files in this program permit linking with the OpenSSL
> library (http://www.openssl.org), which otherwise wouldn't be allowed
> under the GPL.  For purposes of identifying OpenSSL, most source files
> giving this permission limit it to versions of OpenSSL having a license
> identical to that listed in this file (LICENSE.OpenSSL).  It is not
> necessary for the copyright years to match between this file and the
> OpenSSL version in question.  However, note that since this file is an
> extension of the license statements of these source files, this file
> may not be modified except with permission from all copyright holders
> of source files in this program which reference this file.

Does that sound OK?

Simon Law wrote:
>         On debian-legal, we ask if it is possible to use a GPL
> compatible library, such as GNU TLS, but in both cases the authors
> prefered to use OpenSSL as it fit their needs better.  
Actually, the only reason OpenSSL needs to be linked with portions of
the hpoj code is to satisfy a dependency on libcrypto by some versions
of libsnmp.  hpoj directly calls into libsnmp, but not directly into
libcrypto.  It would be fine with me if libsnmp could be modified to
use something other than libcrypto, preferably without hpoj's needing
to know anything about it.

David




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to rms@gnu.org:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #120 received at 147430@bugs.debian.org (full text, mbox):

From: Richard Stallman <rms@gnu.org>
To: paschal@rcsis.com
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, msp@debian.org, paschal@rcsis.com
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Fri, 26 Jul 2002 09:36:32 -0600 (MDT)
    1. Add a statement to the top of the file LICENSE.OpenSSL saying that
    since it was effectively an extension to the license statements in the
    individual source files in the hpoj package, only the copyright holder(s)
    of those source files (namely HP) may update the LICENSE.OpenSSL file.

I don't know if that is reliable--please ask a lawyer.

    2. Do away with LICENSE.OpenSSL altogether and change each exception
    statement (at least in the HP-copyrighted files) to limit OpenSSL to
    "those versions having a free but GPL-incompatible license as deemed
    by the Free Software Foundation."

That could work, but it would be much better to state a criterin that
a a person can check on his own without having to refer to statements
from the FSF.




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org:
Bug#147430; Package hpoj. Full text and rfc822 format available.

Acknowledgement sent to rms@gnu.org:
Extra info received and forwarded to list. Copy sent to Mark Purcell <msp@debian.org>, hpoj@packages.qa.debian.org. Full text and rfc822 format available.

Message #125 received at 147430@bugs.debian.org (full text, mbox):

From: Richard Stallman <rms@gnu.org>
To: paschal@rcsis.com
Cc: 147430@bugs.debian.org, hpoj-devel@lists.sourceforge.net, debian-legal@lists.debian.org, msp@debian.org, paschal@rcsis.com
Subject: Re: [hpoj-devel] Bug#147430: hpoj: Linking against OpenSSL licensing modification (GPL)
Date: Fri, 26 Jul 2002 09:36:39 -0600 (MDT)
    > Certain source files in this program permit linking with the OpenSSL
    > library (http://www.openssl.org), which otherwise wouldn't be allowed
    > under the GPL.  For purposes of identifying OpenSSL, most source files
    > giving this permission limit it to versions of OpenSSL having a license
    > identical to that listed in this file (LICENSE.OpenSSL).  It is not
    > necessary for the copyright years to match between this file and the
    > OpenSSL version in question.  However, note that since this file is an
    > extension of the license statements of these source files, this file
    > may not be modified except with permission from all copyright holders
    > of source files in this program which reference this file.

    Does that sound OK?

I don't feel competent to have an answer--you need a lawyer for this
sort of question.  I can point out possible loopholes but only a
lawyer can judge whether you have really closed one.





Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Mark Purcell" <msp@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #130 received at 147430-close@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: 147430-close@bugs.debian.org
Subject: Bug#147430: fixed in hpoj 0.8-cvs20020727-1
Date: Fri, 26 Jul 2002 23:47:16 -0400
We believe that the bug you reported is fixed in the latest version of
hpoj, which is due to be installed in the Debian FTP archive:

hpoj_0.8-cvs20020727-1.diff.gz
  to pool/main/h/hpoj/hpoj_0.8-cvs20020727-1.diff.gz
hpoj_0.8-cvs20020727-1.dsc
  to pool/main/h/hpoj/hpoj_0.8-cvs20020727-1.dsc
hpoj_0.8-cvs20020727-1_i386.deb
  to pool/main/h/hpoj/hpoj_0.8-cvs20020727-1_i386.deb
hpoj_0.8-cvs20020727.orig.tar.gz
  to pool/main/h/hpoj/hpoj_0.8-cvs20020727.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 147430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated hpoj package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 27 Jul 2002 12:56:10 +1000
Source: hpoj
Binary: hpoj
Architecture: source i386
Version: 0.8-cvs20020727-1
Distribution: unstable
Urgency: low
Maintainer: Mark Purcell <msp@debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 hpoj       - HP OfficeJet Linux driver (hpoj)
Closes: 147430
Changes: 
 hpoj (0.8-cvs20020727-1) unstable; urgency=low
 .
   * New upstream release
   * Upstream now permits linking with OpenSSL (Closes: Bug#147430)
Files: 
 dbf7a8905d77ced8d3e84c3558ce92e3 659 utils optional hpoj_0.8-cvs20020727-1.dsc
 4e13130a197a2754237599614acc46d8 1064513 utils optional hpoj_0.8-cvs20020727.orig.tar.gz
 e4af17690d8c4133afa08ff47f4c5a47 33297 utils optional hpoj_0.8-cvs20020727-1.diff.gz
 82718affa2f64ee0b51d3ad1c19c0454 382412 utils optional hpoj_0.8-cvs20020727-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9QhLIoCzanz0IthIRAl+YAJ91P3DVSgnoCLoFRM0aFJm4l1R8WACgh9BZ
W+Snn7gs40cgnKwB0ybhvlI=
=H7pf
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:40:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.