Debian Bug report logs - #189164
libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps

version graph

Package: libdbd-mysql-perl; Maintainer for libdbd-mysql-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libdbd-mysql-perl is src:libdbd-mysql-perl.

Reported by: Steve Langasek <vorlon@debian.org>

Date: Tue, 15 Apr 2003 19:33:15 UTC

Severity: important

Tags: sid

Found in version 2.1026-2

Fixed in version libdbd-mysql-perl/2.1026-3

Done: Raphael Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org:
Bug#189164; Package libdbd-mysql-perl. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
New Bug report received and forwarded. Copy sent to Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps
Date: Tue, 15 Apr 2003 14:29:52 -0500
Package: libdbd-mysql-perl
Version: 2.1026-2
Severity: important
Tags: sid

The latest version of libdbd-mysql-perl build-depends on
libmysqclient-dev.  I'm afraid that, although this fixed the FTBFS bug,
it potentially renders some software in our archive non-distributable.
Because the new libmysqlclient12 package is licensed under the GPL, any
GPL-incompatible apps which depend on libdbd-mysql-perl would be in
violation of the libmysqlclient12 license.

I have not had a chance to look through the list of packages that depend
on libdbd-mysql-perl to see if any of these are actually
GPL-incompatible; however, libmysqlclient10 has been reintroduced to the
archive for just this sort of situation.  Please consider changing your
build-dep back to libmysqclient10-dev and dropping the libssl-dev
build-dep.

If you are going to continue linking against libmysqlclient12, you
should verify that none of the following packages currently using
libdbd-mysql-perl will violate the terms of the GPL.

Package: bonsai
Package: tcpquota
Package: sympa
Package: request-tracker1
Package: dbengine
Package: mytop
Package: pronto
Package: mtop
Package: catalog
Package: gnudip
Package: openwebmail
Package: sporum
Package: bugzilla
Package: blootbot
Package: libdbix-searchbuilder-perl
Package: mysql-client
Package: request-tracker




Information forwarded to debian-bugs-dist@lists.debian.org, libdbd-mysql-perl@packages.qa.debian.org:
Bug#189164; Package libdbd-mysql-perl. Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to libdbd-mysql-perl@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 189164@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Steve Langasek <vorlon@debian.org>, 189164@bugs.debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: Bug#189164: libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps
Date: Tue, 15 Apr 2003 22:08:59 +0200
Le Tue, Apr 15, 2003 at 02:29:52PM -0500, Steve Langasek écrivait:
> The latest version of libdbd-mysql-perl build-depends on
> libmysqclient-dev.  I'm afraid that, although this fixed the FTBFS bug,
> it potentially renders some software in our archive non-distributable.
> Because the new libmysqlclient12 package is licensed under the GPL, any
> GPL-incompatible apps which depend on libdbd-mysql-perl would be in
> violation of the libmysqlclient12 license.

I disagree completely with this bug.

The perl module "links" to libmysqlclient12, but the perl module is
available under the GPL so it's ok.

Any other program/script "uses" DBD::mysql but doesn't link to
libmysqlclient12 ... so there's no problem on that side either.

> I have not had a chance to look through the list of packages that depend
> on libdbd-mysql-perl to see if any of these are actually
> GPL-incompatible; however, libmysqlclient10 has been reintroduced to the
> archive for just this sort of situation.  Please consider changing your
> build-dep back to libmysqclient10-dev and dropping the libssl-dev
> build-dep.

Not until you can convince me that my interpretation of the license is
clearly wrong. 

I'm ccing debian-legal to have further input.

Cheers,
-- 
Raphaël Hertzog -+- http://www.ouaza.com
Formation Linux et logiciel libre : http://www.logidee.com



Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org:
Bug#189164; Package libdbd-mysql-perl. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@netexpress.net>:
Extra info received and forwarded to list. Copy sent to Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 189164@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@netexpress.net>
To: Raphael Hertzog <hertzog@debian.org>, 189164@bugs.debian.org, debian-legal@lists.debian.org
Subject: Re: Bug#189164: libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps
Date: Wed, 16 Apr 2003 15:15:19 -0500
[Message part 1 (text/plain, inline)]
Hi Raphael,

On Tue, Apr 15, 2003 at 10:08:59PM +0200, Raphael Hertzog wrote:
> Le Tue, Apr 15, 2003 at 02:29:52PM -0500, Steve Langasek écrivait:
> > The latest version of libdbd-mysql-perl build-depends on
> > libmysqclient-dev.  I'm afraid that, although this fixed the FTBFS bug,
> > it potentially renders some software in our archive non-distributable.
> > Because the new libmysqlclient12 package is licensed under the GPL, any
> > GPL-incompatible apps which depend on libdbd-mysql-perl would be in
> > violation of the libmysqlclient12 license.

> I disagree completely with this bug.

> The perl module "links" to libmysqlclient12, but the perl module is
> available under the GPL so it's ok.

I agree that the perl module itself is not violating the license of 
libmysqlclient12.

> Any other program/script "uses" DBD::mysql but doesn't link to
> libmysqlclient12 ... so there's no problem on that side either.

Here, I have to disagree.  You draw a distinction based on "linking",
but this word only appears only once in /usr/share/common-licenses/GPL:
as a footnote referring to the fact that the LGPL *does* allow linking
to proprietary apps.

Please note that if you are right, this would be a gaping loophole in
the GPL: it would allow people to circumvent the GPL, just by wrapping
any code they want as a module for an interpreted language.  Fortunately
for the goals of the FSF, this is not the case.  If you (in this case:
Debian) are distributing GPL software, under copyright law the GPL can
(and does) place restrictions on your distribution of other software
together with the GPL software; and under the DFSG, this is acceptable
because the GPL only restricts redistribution of other software that's
*related* to the GPL code programmatically (it doesn't taint independent
software distributed alongside it).

This establishes that a license can place restrictions on scripts built
around the software and still be considered free, but of course we must
also show that the GPL actually has such a restriction.  I believe the
key is in GPL section 2:

    2. You may modify your copy or copies of the Program or any portion
  of it, thus forming a work based on the Program, and copy and
  distribute such modifications or work under the terms of Section 1
  above, provided that you also meet all of these conditions:

  [...]

      b) You must cause any work that you distribute or publish, that in
      whole or in part contains or is derived from the Program or any
      part thereof, to be licensed as a whole at no charge to all third
      parties under the terms of this License.

We are "linking" scripts that depend on libdbd-mysql-perl in a manner
that's conceptually equivalent to a dynamically-linked binary:  we have
a programmatic link, in the form of a Depends: line in our package
system, that guarantees that when the user runs the script as we
distribute it, GPL code is loaded into memory.  This means that any
scripts *we* distribute that Depend: on libdbd-mysql-perl must comply
with the terms of the GPL.  This is also not inconsistent with other
views of the GPL; anyone else, who is not distributing the MySQL
libraries, can distribute such scripts freely under terms of their
choice:

  These requirements apply to the modified work as a whole.  If
  identifiable sections of that work are not derived from the Program,
  and can be reasonably considered independent and separate works in
  themselves, then this License, and its terms, do not apply to those
  sections when you distribute them as separate works.  But when you
  distribute the same sections as part of a whole which is a work based
  on the Program, the distribution of the whole must be on the terms of
  this License, whose permissions for other licensees extend to the
  entire whole, and thus to each and every part regardless of who wrote 
  it.

> > I have not had a chance to look through the list of packages that depend
> > on libdbd-mysql-perl to see if any of these are actually
> > GPL-incompatible; however, libmysqlclient10 has been reintroduced to the
> > archive for just this sort of situation.  Please consider changing your
> > build-dep back to libmysqclient10-dev and dropping the libssl-dev
> > build-dep.

> Not until you can convince me that my interpretation of the license is
> clearly wrong. 

Please let me know if you find problems with any of my reasoning above.
Since the GPL makes no reference to technical details of linking
mechanisms, however, I'm confident that any interpretation that permits
distributing GPL-incompatible perl scripts together with a GPL perl
module would also permit distributing GPL-incompatible compiled binaries
together with GPL libraries.

-- 
Steve Langasek
postmodern programmer
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, libdbd-mysql-perl@packages.qa.debian.org:
Bug#189164; Package libdbd-mysql-perl. Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to libdbd-mysql-perl@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 189164@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Steve Langasek <vorlon@netexpress.net>
Cc: 189164@bugs.debian.org, debian-legal@lists.debian.org
Subject: Re: Bug#189164: libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps
Date: Thu, 17 Apr 2003 00:02:31 +0200
Le Wed, Apr 16, 2003 at 03:15:19PM -0500, Steve Langasek écrivait:
>     2. You may modify your copy or copies of the Program or any portion
>   of it, thus forming a work based on the Program, and copy and
>   distribute such modifications or work under the terms of Section 1
>   above, provided that you also meet all of these conditions:
> 
>   [...]
> 
>       b) You must cause any work that you distribute or publish, that in
>       whole or in part contains or is derived from the Program or any
>       part thereof, to be licensed as a whole at no charge to all third
>       parties under the terms of this License.

I'm sorry but a perl script using DBI/DBD::mysql doesn't contain
DBD::mysql and is not derived from DBD::mysql ... and it doesn't
contain libmysqlclient12 and it isn't derived from libmysqlclient12.

This is even more clear when you consider the fact that a perl script
can use "DBI" as a general DB layer without knowing which driver is used
behind the doors.

> Please let me know if you find problems with any of my reasoning above.

The fact is that I think that you extend too easily the meaning of
"contains" and "is derived".

While a program directly linked can be considered like a derived work of
the library, I don't think that you can say that program A is a derived
work of libX if A is linked to libY which itself uses libX.

Yes this means that you can go around the limitation of the GPL... but
I'm confident that a fake library used only in that intent would be
considered as violating the spirit of the GPL. However when that
intermediate library serves a generic purpose like DBI, I doubt that
we violate the spirit of the GPL.

> Since the GPL makes no reference to technical details of linking
> mechanisms, however, I'm confident that any interpretation that permits
> distributing GPL-incompatible perl scripts together with a GPL perl
> module would also permit distributing GPL-incompatible compiled binaries
> together with GPL libraries.

Note that the perl module is not GPL only, but GPL/Artistic (like most
perl modules). I don't know how much trouble that brings ... :-)

Does your reasoning also mean that each time a proprietary perl script
is using a standard perl module, it uses the module under the terms of
the Artistic license and not under the GPL because it can't comply with
the GPL ?

It's so boring those license issues ...

Cheers,
-- 
Raphaël Hertzog -+- http://www.ouaza.com
Formation Linux et logiciel libre : http://www.logidee.com



Information forwarded to debian-bugs-dist@lists.debian.org, Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org:
Bug#189164; Package libdbd-mysql-perl. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@netexpress.net>:
Extra info received and forwarded to list. Copy sent to Raphael Hertzog <hertzog@debian.org>, libdbd-mysql-perl@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 189164@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@netexpress.net>
To: Raphael Hertzog <hertzog@debian.org>, 189164@bugs.debian.org, debian-legal@lists.debian.org
Subject: Re: Bug#189164: libdbd-mysql-perl uses GPL lib, may be used by GPL-incompatible apps
Date: Wed, 16 Apr 2003 18:19:21 -0500
[Message part 1 (text/plain, inline)]
On Thu, Apr 17, 2003 at 12:02:31AM +0200, Raphael Hertzog wrote:
> Le Wed, Apr 16, 2003 at 03:15:19PM -0500, Steve Langasek écrivait:
> >     2. You may modify your copy or copies of the Program or any portion
> >   of it, thus forming a work based on the Program, and copy and
> >   distribute such modifications or work under the terms of Section 1
> >   above, provided that you also meet all of these conditions:
> > 
> >   [...]

> >       b) You must cause any work that you distribute or publish, that in
> >       whole or in part contains or is derived from the Program or any
> >       part thereof, to be licensed as a whole at no charge to all third
> >       parties under the terms of this License.

> I'm sorry but a perl script using DBI/DBD::mysql doesn't contain
> DBD::mysql and is not derived from DBD::mysql ... and it doesn't
> contain libmysqlclient12 and it isn't derived from libmysqlclient12.

> This is even more clear when you consider the fact that a perl script
> can use "DBI" as a general DB layer without knowing which driver is used
> behind the doors.

My question is, how is a package that depends on DBD::mysql materially
different from a compiled program that links dynamically against
libmysqlclient?  The mechanisms are different; the effect is the same.  I
believe that any sane interpretation of the GPL must treat these cases as
equivalent.  You seem to agree, though you disagree with me on how these
two cases should be treated.

> > Please let me know if you find problems with any of my reasoning above.

> The fact is that I think that you extend too easily the meaning of
> "contains" and "is derived".

> While a program directly linked can be considered like a derived work of
> the library, I don't think that you can say that program A is a derived
> work of libX if A is linked to libY which itself uses libX.

> Yes this means that you can go around the limitation of the GPL... but
> I'm confident that a fake library used only in that intent would be
> considered as violating the spirit of the GPL. However when that
> intermediate library serves a generic purpose like DBI, I doubt that
> we violate the spirit of the GPL.

So you don't believe that the letter of the GPL prohibits binary-only
distribution of an application, together with a GPL library that it's
dynamically linked against?  I believe there is room for argument here;
however, I also believe that Debian has a responsibility to err on the
side of caution when there is room for argument in interpreting a
license.

As to the spirit of the GPL, please read
<http://www.fsf.org/licenses/gpl-faq.html#IfInterpreterIsGPL>.  This is
the opinion of the FSF; I'm inclined to believe, based both on past
litigation and on the fact of their strange decision to relicense under
the GPL that they will take a stance that's as hard-line as or more so
than that of the FSF.

The packages I listed in the bug report are not just consumers of the
intermediary DBI library; through decisions made by the package
maintainers, there are explicit dependencies on the DBD::mysql module.

> > Since the GPL makes no reference to technical details of linking
> > mechanisms, however, I'm confident that any interpretation that permits
> > distributing GPL-incompatible perl scripts together with a GPL perl
> > module would also permit distributing GPL-incompatible compiled binaries
> > together with GPL libraries.

> Note that the perl module is not GPL only, but GPL/Artistic (like most
> perl modules). I don't know how much trouble that brings ... :-)

In this case, I think it saves trouble: if DBD::mysql were GPL-only, then
the same argument applies even if you link against the LGPL version of
libmysqlclient.

> Does your reasoning also mean that each time a proprietary perl script
> is using a standard perl module, it uses the module under the terms of
> the Artistic license and not under the GPL because it can't comply with
> the GPL ?

Only if the proprietary perl script is bundled with the perl module.  If
the proprietary perl script isn't bundled, both licenses allow this use
(the FSF seems to disagree here, but I don't think they have legal
standing to enforce their position against someone who isn't a
distributor of the GPL code).

-- 
Steve Langasek
postmodern programmer
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Raphael Hertzog <hertzog@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Langasek <vorlon@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 189164-close@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: 189164-close@bugs.debian.org
Subject: Bug#189164: fixed in libdbd-mysql-perl 2.1026-3
Date: Fri, 25 Apr 2003 13:47:32 -0400
We believe that the bug you reported is fixed in the latest version of
libdbd-mysql-perl, which is due to be installed in the Debian FTP archive:

libdbd-mysql-perl_2.1026-3.diff.gz
  to pool/main/libd/libdbd-mysql-perl/libdbd-mysql-perl_2.1026-3.diff.gz
libdbd-mysql-perl_2.1026-3.dsc
  to pool/main/libd/libdbd-mysql-perl/libdbd-mysql-perl_2.1026-3.dsc
libdbd-mysql-perl_2.1026-3_i386.deb
  to pool/main/libd/libdbd-mysql-perl/libdbd-mysql-perl_2.1026-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 189164@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Hertzog <hertzog@debian.org> (supplier of updated libdbd-mysql-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 20 Apr 2003 13:28:50 +0000
Source: libdbd-mysql-perl
Binary: libdbd-mysql-perl
Architecture: source i386
Version: 2.1026-3
Distribution: unstable
Urgency: medium
Maintainer: Raphael Hertzog <hertzog@debian.org>
Changed-By: Raphael Hertzog <hertzog@debian.org>
Description: 
 libdbd-mysql-perl - A Perl5 database interface to the MySQL database
Closes: 189164
Changes: 
 libdbd-mysql-perl (2.1026-3) unstable; urgency=medium
 .
   * Switch to use libmysqlclient10 which is LGPL. Updated build-depends
     accordingly. Closes: #189164
     Latest libmysqlclient is GPL-only and thus can't be used for
     any project which is non-GPL. As DBD::mysql is probably used by dozen
     of non-GPL programs I decided to link it against the last LGPL
     version kindly resurrected by Steve Langasek:
     https://alioth.debian.org/projects/libmysql-lgpl/
   * Sorry if this does mean that you're going to lack some features
     integrated in the latest libs, but you should whine against the
     upstream decision to switch to GPL ...
Files: 
 5f9dfb210f5bce80f48a4e24ea6b92f7 679 perl optional libdbd-mysql-perl_2.1026-3.dsc
 08e43304a122d2fcaef547990ae894c9 4888 perl optional libdbd-mysql-perl_2.1026-3.diff.gz
 9ad407b75deae084046e5a44090de31e 117292 perl optional libdbd-mysql-perl_2.1026-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+oqHfvPbGD26BadIRApjVAJ9y3+qKoi7xcGXKBg5vBaOk49Ay+QCfdGna
XPc39H04k/N2KXX+CapTuKY=
=yWaO
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:22:18 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.