Debian Bug report logs - #534338
RFP: libopenssl-perl -- OpenSSL bindings in perl

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Tue, 23 Jun 2009 18:21:01 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, <wnpp@debian.org>:
Bug#534338; Package wnpp. (Tue, 23 Jun 2009 18:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, <wnpp@debian.org>. (Tue, 23 Jun 2009 18:21:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: libopenssl-perl -- OpenSSL bindings in perl
Date: Tue, 23 Jun 2009 14:17:30 -0400
Package: wnpp
Severity: wishlist
Owner: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

* Package name    : libopenssl-perl
  Version         : 0.10
  Upstream Author : Stefan Traby <stefan@hello-penguin.com>
* URL             : http://search.cpan.org/~oesi/OpenSSL/
* License         : GPL | Artistic
  Programming Lang: Perl
  Description     : OpenSSL bindings in perl

The OpenSSL perl module binds a subset of the OpenSSL library (mostly
digest and cipher algorithms) into perl.



- ---------------------

Note: this seems to have some overlap with Net::SSLeay; i've sent mail
to both upstreams asking if they're interested in consolidation or
some other collaborative approach.  I want this packaged for DEbian
because there are useful things in this module (such as CAST5 cipher
and RIPEMD160 digests) which are otherwise not directly available in
perl through debian, as far as i can tell.

Re: licensing: the current version doesn't have explicit licensing in
the source.  I exchanged mails directly with the upstream author, and
he confirmed that it is licensed under the same terms as perl (GPL or
Artistic).  The next release will include the license as part of the
package.

I'm also attempting to join the debian perl packaging team, so
hopefully this package will come into the archive under their aegis.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIVAwUBSkEcNczS7ZTSFznpAQqXbw//aNqHaCJzdlZDUS9YgjJJ2Omkpkd30lsZ
uIpweDaACmebexefsD7KQqblLSUvye8ZXm8/CDgIYcNfATPgkWs+0TxylfqyRdAe
oh68vvRhRtc8u2RiVN3GnIKJ+wL5FRQSFutahbHAE/rW76SNqrwNDRhSywvucaD6
7nAZeXNRupMVcym6SGt2ie/lJdMhsGD/mnrlO6TeK+BYqjeyyx5kKCnGvOvw/Iq1
ObwifFxOjh+uTiQ7fuCxkK2Hv9gic86f6UMKbCgQzFyErATvie0dtb4/Ufe64v9s
7W7GmjsJPbGL00dbEkTjgbeXW24gHG9FzTGCkWD/8S+i0Oj5tw5KbnTGvpii2dFk
mZy49hxdbZ0Pv56rGUGTka7mHIE2lz93WuPY02hx65k2qgY8Ei9jlisFK6M6wrNh
2zjCSkd6Zf4vdwXZI3SNi/UAJiXLHZ+GPB2F99cwAi/lviVhj0E9h7bpsvKJ9PHI
kd2PICwu3yqj/WmRaFL3UzPBEEKWTim53miajl/0vBy3Kp+75lGZuxcswQxQD/46
0zb+1jm8idbrV8Vy6giRzbJ+5Cef+oEbVkvliWPt3D8/Sf0nMIffD1OpfVXCZNQe
ophaQCG5YsMy10hGYeiS9p7gguJwXYRXISih3Tipw9H2vW522vVYhQYqk2U/8AgH
cH+Extqw9hY=
=5t8g
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#534338; Package wnpp. (Tue, 23 Jun 2009 19:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>. (Tue, 23 Jun 2009 19:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 534338@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: 534338@bugs.debian.org
Subject: Re: Bug#534338: ITP: libopenssl-perl -- OpenSSL bindings in perl
Date: Tue, 23 Jun 2009 21:13:35 +0200
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> Re: licensing: the current version doesn't have explicit licensing in
> the source.  I exchanged mails directly with the upstream author, and
> he confirmed that it is licensed under the same terms as perl (GPL or
> Artistic).  The next release will include the license as part of the
> package.

Does that work?  I'd assume you would also need the OpenSSL license
exemption.

/Simon




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#534338; Package wnpp. (Tue, 23 Jun 2009 19:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. (Tue, 23 Jun 2009 19:30:06 GMT) Full text and rfc822 format available.

Message #15 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Simon Josefsson <simon@josefsson.org>, 534338@bugs.debian.org
Subject: Re: Bug#534338: ITP: libopenssl-perl -- OpenSSL bindings in perl
Date: Tue, 23 Jun 2009 15:26:25 -0400
[Message part 1 (text/plain, inline)]
On 06/23/2009 03:13 PM, Simon Josefsson wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> 
>> Re: licensing: the current version doesn't have explicit licensing in
>> the source.  I exchanged mails directly with the upstream author, and
>> he confirmed that it is licensed under the same terms as perl (GPL or
>> Artistic).  The next release will include the license as part of the
>> package.
> 
> Does that work?  I'd assume you would also need the OpenSSL license
> exemption.

I agree that's a concern, though the Artistic license doesn't need any
such exception.  So maybe (GPL | Artistic) is equivalent to (Artistic)
in this case?

There are other OpenSSL perl bindings in debian that have the same
license, though, and seem to be intact with no outstanding bugs (which
isn't to say that's not a bug, of course).  For example, see
libcrypt-openssl-{rsa,dsa,random,bignum}-perl.

I raised this issue on debian-perl earlier today:

  http://lists.debian.org/debian-perl/2009/06/msg00083.html

but haven't gotten any followup yet from the maintainers of the other
packages in a similar situation.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#534338; Package wnpp. (Wed, 24 Jun 2009 22:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Debian Perl Group <debian-perl@lists.debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>. (Wed, 24 Jun 2009 22:24:02 GMT) Full text and rfc822 format available.

Message #20 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Debian Perl Group <debian-perl@lists.debian.org>, 534338@bugs.debian.org
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 24 Jun 2009 18:20:59 -0400
[Message part 1 (text/plain, inline)]
On 06/23/2009 02:52 PM, Daniel Kahn Gillmor wrote:
> Finally, i note that the OpenSSL license contains the following stanza:
> 
>  * 5. Products derived from this software may not be called "OpenSSL"
>  *    nor may "OpenSSL" appear in their names without prior written
>  *    permission of the OpenSSL Project.
> 
> It's not clear to me whether any of the Crypt::OpenSSL::* modules have
> actually received such permision from the OpenSSL project.  I've written
> the upstream author of the OpenSSL:: module today to ask about that, but
> haven't heard back yet.  I was curious what the maintainers of the other
> *::OpenSSL::* modules know about that situation for their respective
> modules.

In response to my raising this question with the author of the OpenSSL
perl module i was hoping to put into debian, he has apparently asked the
OpenSSL team for permission, and has requested his module's removal from
CPAN until he gets a positive response from the OpenSSL team.

Have any of the other *::OpenSSL::* module maintainers (Damyan and Luk
are the names i see most often in the changelogs) broached this issue
with their respective upstreams?  If so, what was the response?  If not,
is that because you don't think it's relevant?  Or it was simply overlooked?

I hate to be the goad about this, but i want to make sure we're
respecting the wishes of developers and the explicit licensing of the
software we use.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#534338; Package wnpp. (Sat, 19 Feb 2011 17:14:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>. (Sat, 19 Feb 2011 17:14:01 GMT) Full text and rfc822 format available.

Message #25 received at 534338@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 534338@bugs.debian.org
Cc: control@bugs.debian.org
Subject: libopenssl-perl: changing back from ITP to RFP
Date: Sat, 19 Feb 2011 17:02:56 +0000
retitle 534338 RFP: libopenssl-perl -- OpenSSL bindings in perl
noowner 534338
thanks

Hi,

This is an automatic email to change the status of libopenssl-perl back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 6 months.

If you are still interested in adopting libopenssl-perl, please send a mail to
<control@bugs.debian.org> with:

 retitle 534338 ITP: libopenssl-perl -- OpenSSL bindings in perl
 owner 534338 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <534338@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>




Changed Bug title to 'RFP: libopenssl-perl -- OpenSSL bindings in perl' from 'ITP: libopenssl-perl -- OpenSSL bindings in perl' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 17:17:02 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Daniel Kahn Gillmor <dkg@fifthhorseman.net>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 17:17:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 09:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kai <kai@xs4all.nl>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 09:30:50 GMT) Full text and rfc822 format available.

Message #34 received at 534338@bugs.debian.org (full text, mbox):

From: Kai <kai@xs4all.nl>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: 534338@bugs.debian.org
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 11:26:53 +0200
[Message part 1 (text/plain, inline)]
Hi Daniel,

I was searching for the package libcrypt-openssl-aes-perl. With some wildcards I
stumbled upon this wnpp bug.

Was my package (Crypt::OpenSSL::AES) included in your wnpp, or should I create a
new wnpp bug for this?

Thanks for your input.

Regards,
Kai Storbeck

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 11:30:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 11:30:22 GMT) Full text and rfc822 format available.

Message #39 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Kai <kai@xs4all.nl>
Cc: 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 07:27:10 -0400
[Message part 1 (text/plain, inline)]
On 06/27/2012 05:26 AM, Kai wrote:
> I was searching for the package libcrypt-openssl-aes-perl. With some wildcards I
> stumbled upon this wnpp bug.
> 
> Was my package (Crypt::OpenSSL::AES) included in your wnpp, or should I create a
> new wnpp bug for this?

I don't believe #534338 covered Crypt::OpenSSL::AES.  However, i do
wonder whether Crypt::OpenSSL::AES has received permission from the
OpenSSL upstrem for the use of the term "OpenSSL" in its name, as
referred to at:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534338#20

I suppose the same question needs to be asked about:

libcrypt-openssl-bignum-perl
libcrypt-openssl-dsa-perl
libcrypt-openssl-random-perl
libcrypt-openssl-rsa-perl
libcrypt-openssl-x509-perl

(cc'ing the debian perl team to se if there's any knowledge there)

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 13:01:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 13:01:30 GMT) Full text and rfc822 format available.

Message #44 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Kai <kai@xs4all.nl>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 09:00:15 -0400
On Wed, 2012-27-06 at 07:27 -0400, Daniel Kahn Gillmor wrote:
[snip]
> I don't believe #534338 covered Crypt::OpenSSL::AES.  However, i do
> wonder whether Crypt::OpenSSL::AES has received permission from the
> OpenSSL upstrem for the use of the term "OpenSSL" in its name, as
> referred to at:
> 
>   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534338#20
> 

[snip]

It depends what "derived from this software" means.  The only protection
"OpenSSL" has, in itself, would be as a trademark.

Apple has an example here:
http://www.apple.com/legal/trademark/appletmlist.html

which seems to indicate that "OpenSSL Project" and "OpenSSL Toolkit" are
protected but not bare "OpenSSL".

It also indicates that the restrictions imposed are only using the
"openssl" name for marketing.  But Apple has a written agreement with
OpenSSL.

-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 14:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 14:06:03 GMT) Full text and rfc822 format available.

Message #49 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Guy Hulbert <gwhulbert@eol.ca>
Cc: Kai <kai@xs4all.nl>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 10:03:08 -0400
[Message part 1 (text/plain, inline)]
On 06/27/2012 09:00 AM, Guy Hulbert wrote:
> It depends what "derived from this software" means.  The only protection
> "OpenSSL" has, in itself, would be as a trademark.

I don't think this is the case, but i could be wrong.  Trademark would
be used to keep someone from marketing and unrelated product as
"OpenSSL".  In this case, it's simply the copyright license (not a
trademark) which grants the toolkit's re-use, modification, and
redistribution rights only under the constraint that:

 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.

This seems like a silly and annoying clause to me, but it's in the
license, and i think we should try to respect the authors' expressed wishes.

Given that the perl modules in question clearly contain "OpenSSL" in
their names, this appears to only be satisfied under one of the
following conditions:

 0) a perl module is not a "product"
 1) these perl modules are not "derived from" OpenSSL
 2) the OpenSSL Project has given these modules explicit permission
 3) this clause is considered unenforceable and/or somehow illegitimate

Alternately, we could choose to not accept the copyright license, by not
redistributing or using OpenSSL for these packages (though i don't know
technically how we would accomplish this).

I can't summon enough cognitive dissonance to argue for conditions 0 or
1, and i have no idea how to raise a consensus on 3, so i suspect the
simplest way forward would be (2): for the perl modules in question to
get written permission from the OpenSSL project for their names.

Maybe they've already done so -- i haven't checked!  Perhaps the debian
uploaders could verify with upstream?

I really don't think this is a trademark issue.

Regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 16:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 16:42:02 GMT) Full text and rfc822 format available.

Message #54 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Kai <kai@xs4all.nl>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 12:38:49 -0400
On Wed, 2012-27-06 at 10:03 -0400, Daniel Kahn Gillmor wrote:
> Given that the perl modules in question clearly contain "OpenSSL" in
> their names, this appears to only be satisfied under one of the
> following conditions:
> 
>  0) a perl module is not a "product"
>  1) these perl modules are not "derived from" OpenSSL

I think this is the best argument.

>  2) the OpenSSL Project has given these modules explicit permission
>  3) this clause is considered unenforceable and/or somehow
> illegitimate

It's unenforcable if the modules in question do not incorporate any
OpenSSL code and are just an interface to the library.  I think this is
probably the case.

There seem to be between 30 and 40 modules on CPAN with OpenSSL in the
name and no-one seems to be bothered.

-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 16:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 16:51:03 GMT) Full text and rfc822 format available.

Message #59 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Guy Hulbert <gwhulbert@eol.ca>
Cc: Kai <kai@xs4all.nl>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 12:49:21 -0400
[Message part 1 (text/plain, inline)]
On 06/27/2012 12:38 PM, Guy Hulbert wrote:
> It's unenforcable if the modules in question do not incorporate any
> OpenSSL code and are just an interface to the library.  I think this is
> probably the case.

Eh?   How is a binding to a library not a project that is "derived from"
that library?  I don't follow your explanation that the clause is
unenforcable.  What makes it unenforcable?  Do you think that the holder
of a fully-proprietary license (imagine the most absurd non-free
software imaginable) wouldn't have any grounds to complain against
someone who was distributing a binding to their library without their
approval?

You know that you can only make a binding by at least building against
header files, and linking at runtime to object files, right?

> There seem to be between 30 and 40 modules on CPAN with OpenSSL in the
> name and no-one seems to be bothered.

You're seeing the modules that *remain* in CPAN.  There used to be a
perl module named OpenSSL.  It doesn't exist in CPAN any more (in fact,
the authors removed it when i asked them about these questions, as can
be seen in the history of #534338. :(

Listen, i don't like this situation either, and i wouldn't bother with
it except that authors of some code in debian have made an explicit
request by placing a constraint on their license that we have accepted
by redistributing it.

Shouldn't we at least try to honor that request?

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 16:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 16:54:02 GMT) Full text and rfc822 format available.

Message #64 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Kai <kai@xs4all.nl>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 12:52:28 -0400
On Wed, 2012-27-06 at 12:49 -0400, Daniel Kahn Gillmor wrote:
> On 06/27/2012 12:38 PM, Guy Hulbert wrote:
> > It's unenforcable if the modules in question do not incorporate any
> > OpenSSL code and are just an interface to the library.  I think this is
> > probably the case.
> 
> Eh?   How is a binding to a library not a project that is "derived from"
> that library?  I don't follow your explanation that the clause is
> unenforcable.  What makes it unenforcable? 

Because if I write the code, I own it.  So in the case of a perl module
I can call it anything I want unless there is a trademark involved (and,
i believe trademarking words is a perversion).

Please just disregard my input if you want to play lawyer.  I will stop
now.

-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 18:03:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 18:03:14 GMT) Full text and rfc822 format available.

Message #69 received at 534338@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@debian.org>
To: Guy Hulbert <gwhulbert@eol.ca>, 534338@bugs.debian.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Kai <kai@xs4all.nl>, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 13:42:11 -0400
[Message part 1 (text/plain, inline)]
On Wed, Jun 27, 2012 at 12:52:28PM -0400, Guy Hulbert wrote:
> On Wed, 2012-27-06 at 12:49 -0400, Daniel Kahn Gillmor wrote:
> > On 06/27/2012 12:38 PM, Guy Hulbert wrote:
> > > It's unenforcable if the modules in question do not incorporate any
> > > OpenSSL code and are just an interface to the library.  I think this is
> > > probably the case.
> > 
> > Eh?   How is a binding to a library not a project that is "derived from"
> > that library?  I don't follow your explanation that the clause is
> > unenforcable.  What makes it unenforcable? 
> 
> Because if I write the code, I own it.  So in the case of a perl module
> I can call it anything I want unless there is a trademark involved (and,
> i believe trademarking words is a perversion).
> 

In this case *some* of the code was written by the authors of the perl
code, but much of the source code comes directly from openssl.  The perl
module author is taking a lot of code from openssl, adding some of their
own, them compiling that together into a new work.  This is clearly a
derrivative work.

Look, for example at the source code to libcrypt-openssl-rsa-perl.  In
RSA.xs, these lines appear:

#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/md5.h>
#include <openssl/objects.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/ripemd.h>
#include <openssl/rsa.h>
#include <openssl/sha.h>
#include <openssl/ssl.h>

Those are instructions to the compiler to directly include source code
from the openssl project.  

stew
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 18:03:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 18:03:16 GMT) Full text and rfc822 format available.

Message #74 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Mike O'Connor <stew@debian.org>
Cc: 534338@bugs.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Kai <kai@xs4all.nl>, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 13:54:11 -0400
On Wed, 2012-27-06 at 13:42 -0400, Mike O'Connor wrote:
> On Wed, Jun 27, 2012 at 12:52:28PM -0400, Guy Hulbert wrote:
> > On Wed, 2012-27-06 at 12:49 -0400, Daniel Kahn Gillmor wrote:
> > > On 06/27/2012 12:38 PM, Guy Hulbert wrote:
> > > > It's unenforcable if the modules in question do not incorporate any
> > > > OpenSSL code and are just an interface to the library.  I think this is
> > > > probably the case.
> > > 
> > > Eh?   How is a binding to a library not a project that is "derived from"
> > > that library?  I don't follow your explanation that the clause is
> > > unenforcable.  What makes it unenforcable? 

The stuff on CPAN is source.  So it's not linked to anything.  It may
have instructions to link to something but OpenSSL has no legal
authority to stop that.

> > 
> > Because if I write the code, I own it.  So in the case of a perl module
> > I can call it anything I want unless there is a trademark involved (and,
> > i believe trademarking words is a perversion).
> > 
> 
> In this case *some* of the code was written by the authors of the perl
> code, but much of the source code comes directly from openssl.  The perl
> module author is taking a lot of code from openssl, adding some of their
> own, them compiling that together into a new work.  This is clearly a
> derrivative work.

Define "derivative".  Until it's compiled, it's not.

> 
> Look, for example at the source code to libcrypt-openssl-rsa-perl.  In
> RSA.xs, these lines appear:
> 
> #include <openssl/bio.h>
> #include <openssl/bn.h>
> #include <openssl/err.h>
> #include <openssl/md5.h>
> #include <openssl/objects.h>
> #include <openssl/pem.h>
> #include <openssl/rand.h>
> #include <openssl/ripemd.h>
> #include <openssl/rsa.h>
> #include <openssl/sha.h>
> #include <openssl/ssl.h>
> 
> Those are instructions to the compiler to directly include source code
> from the openssl project.  

Tha *compiler*.  So it might be a problem for Debian except that Debian
is NOT using the string "OpenSSL".  It is using the lower-case version.
So there's no violation ... though IANAL.

IMO, if Debian is to do anything, it should first contact the "OpenSSL
Project" to see if there's a problem.  Harassing CPAN authors seems
premature to me.

> 
> stew
-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 18:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 18:27:03 GMT) Full text and rfc822 format available.

Message #79 received at 534338@bugs.debian.org (full text, mbox):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Guy Hulbert <gwhulbert@eol.ca>
Cc: Mike O'Connor <stew@debian.org>, 534338@bugs.debian.org, Kai <kai@xs4all.nl>, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 14:25:32 -0400
[Message part 1 (text/plain, inline)]
On 06/27/2012 01:54 PM, Guy Hulbert wrote:
> Define "derivative".  Until it's compiled, it's not.

Right.  Unfortunately for debian, and any other binary distributor of
CPAN modules, we distribute it compiled.

> Tha *compiler*.  So it might be a problem for Debian except that Debian
> is NOT using the string "OpenSSL".  It is using the lower-case version.
> So there's no violation ... though IANAL.

Wow, there's a way to thread the needle that hadn't occurred to me.  Was
this what you were trying to point out before?  I have my doubts about
the legitimacy of the case of the package name as a differentiator,
frankly, but i suppose that's one approach to take.  Should we also
change the case of the man pages and the paths to the .pm files?

> IMO, if Debian is to do anything, it should first contact the "OpenSSL
> Project" to see if there's a problem.  Harassing CPAN authors seems
> premature to me.

I'm not sure how the debian project can ask the OpenSSL project for
written permission to use the string in these projects, since:

 (a) debian can't accept a debian-specific license exception (see the
DFSG for details), and

 (b) debian isn't the CPAN upstream author.

A successful request by CPAN module authors to the OpenSSL project to
get approval for the use of the name would resolve the issue for *all*
binary distributors of CPAN modules, afaict.

I'm not sure what we would gain from a request from debian.  If OpenSSL
says "sure, you can do that in debian", then we leave our derivatives
and distributors (and other users) exposed to an ambiguous license that
could be used against them, which is contrary to the DSC.

It seems like the CPAN module authors are going to have to be involved
("harrassed") somehow, unless "openssl" is considered sufficiently
different from "OpenSSL" to invalidate stanza 5 of the OpenSSL license.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 18:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 18:36:03 GMT) Full text and rfc822 format available.

Message #84 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Mike O'Connor <stew@debian.org>, 534338@bugs.debian.org, Kai <kai@xs4all.nl>, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 14:32:23 -0400
On Wed, 2012-27-06 at 14:25 -0400, Daniel Kahn Gillmor wrote:
> On 06/27/2012 01:54 PM, Guy Hulbert wrote:
> > Define "derivative".  Until it's compiled, it's not.
> 
> Right.  Unfortunately for debian, and any other binary distributor of
> CPAN modules, we distribute it compiled.
> 
> > Tha *compiler*.  So it might be a problem for Debian except that Debian
> > is NOT using the string "OpenSSL".  It is using the lower-case version.
> > So there's no violation ... though IANAL.
> 
> Wow, there's a way to thread the needle that hadn't occurred to me.  Was
> this what you were trying to point out before?  I have my doubts about

I had not thought carefully initially the whole discussion is so
ridiculous on its face that I just reacted.  I told you once you could
ignore me.

> the legitimacy of the case of the package name as a differentiator,
> frankly, but i suppose that's one approach to take.  Should we also
> change the case of the man pages and the paths to the .pm files?

This is clearly ridiculous.

I was just referring to the debian package name.  I thought that was
obvious from context.

> 
> > IMO, if Debian is to do anything, it should first contact the "OpenSSL
> > Project" to see if there's a problem.  Harassing CPAN authors seems
> > premature to me.
> 
> I'm not sure how the debian project can ask the OpenSSL project for
> written permission to use the string in these projects, since:

Perhaps you should first get written permission to use the OpenSSL
string in this email thread.

[snip]

-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 18:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Clint Adams <clint@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 18:54:03 GMT) Full text and rfc822 format available.

Message #89 received at 534338@bugs.debian.org (full text, mbox):

From: Clint Adams <clint@debian.org>
To: Guy Hulbert <gwhulbert@eol.ca>, 534338@bugs.debian.org
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike O'Connor <stew@debian.org>, Kai <kai@xs4all.nl>, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 18:52:41 +0000
On Wed, Jun 27, 2012 at 02:32:23PM -0400, Guy Hulbert wrote:
> Perhaps you should first get written permission to use the OpenSSL
> string in this email thread.

Who are you?




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 21:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kai Storbeck <kai@xs4all.nl>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 21:15:07 GMT) Full text and rfc822 format available.

Message #94 received at 534338@bugs.debian.org (full text, mbox):

From: Kai Storbeck <kai@xs4all.nl>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Guy Hulbert <gwhulbert@eol.ca>, "Mike O'Connor" <stew@debian.org>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 23:13:13 +0200
[Message part 1 (text/plain, inline)]
Hi guys,

Cheers for the elaborate thread that emerged from my graveyard bump.

Daniel Kahn Gillmor wrote:

> It seems like the CPAN module authors are going to have to be involved
> ("harrassed") somehow, unless "openssl" is considered sufficiently
> different from "OpenSSL" to invalidate stanza 5 of the OpenSSL license.
> 
> 	--dkg
> 

I'm a bit perplexed that the module authors have anything to do with
this as long as they are clearly stating their code is released under
the artistic license.

Should Debian concern itself (too much) with the authority of such a
claim? Is it debians task to mediate between all open source forges
around the world and their claims for licensing?

Apologies if this is in the debian policy.

Sincere Regards,
Kai Storbeck

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Wed, 27 Jun 2012 21:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guy Hulbert <gwhulbert@eol.ca>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 27 Jun 2012 21:57:08 GMT) Full text and rfc822 format available.

Message #99 received at 534338@bugs.debian.org (full text, mbox):

From: Guy Hulbert <gwhulbert@eol.ca>
To: Kai Storbeck <kai@xs4all.nl>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Mike O'Connor <stew@debian.org>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 17:55:09 -0400
On Wed, 2012-27-06 at 23:13 +0200, Kai Storbeck wrote:
> I'm a bit perplexed that the module authors have anything to do with
> this as long as they are clearly stating their code is released under
> the artistic license.

This is my position, stated somewhat more clearly.  The particular
license of the module does not matter as long as it follows DFSG.

> Should Debian concern itself (too much) with the authority of such a
> claim? Is it debians task to mediate between all open source forges
> around the world and their claims for licensing?

In this case, Debian could ask for a clarification from or a suitable
agreement (as Apple has done) with OpenSSL.

The problem for Debian is that Debian is not just distributing the
source code from CPAN and OpenSSL has a weird clause (#5) in their
license.

> 
> Apologies if this is in the debian policy. 



-- 
--gh






Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#534338; Package wnpp. (Thu, 28 Jun 2012 00:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike O'Connor <stew@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 28 Jun 2012 00:09:07 GMT) Full text and rfc822 format available.

Message #104 received at 534338@bugs.debian.org (full text, mbox):

From: Mike O'Connor <stew@debian.org>
To: Kai Storbeck <kai@xs4all.nl>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Guy Hulbert <gwhulbert@eol.ca>, 534338@bugs.debian.org, Debian Perl Group <debian-perl@lists.debian.org>
Subject: Re: Bug#534338: OpenSSL bindings for Perl -- licensing questions
Date: Wed, 27 Jun 2012 19:59:15 -0400
[Message part 1 (text/plain, inline)]
Kai Storbeck <kai@xs4all.nl> writes:

>
> I'm a bit perplexed that the module authors have anything to do with
> this as long as they are clearly stating their code is released under
> the artistic license.


The license of the perl module is not the concern.  The concern is that
we are violating the license of the openssl software.

>
> Should Debian concern itself (too much) with the authority of such a
> claim? 

Yes.  Is there any reason to think that "The OpenSSL Project" does not
have a valid claim on the headers in /usr/include/openssl?

> Is it debians task to mediate between all open source forges
> around the world and their claims for licensing?
>

It is Debian's task to make sure that our software archive is legal.  We
can help upstream here by getting them to where it is legal to
redistribute functional builds of their software.  We can also just stop
distributing this software, or we can go through the process of renaming
the software in Debian.  Of all these options, having this problem fixed
upstream seems to clearly be in the interest of not only Debian, but of
many other users of this software.


> Apologies if this is in the debian policy.

It should be implicit that debian cannot ignore the software licenses
terms for the software we are distributing.
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:28:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.