Package: wnpp
Severity: wishlist
Owner: William Pitcock <nenolod@dereferenced.org>

* Package name : charybdis
Version : 3.0.1
Upstream Author : William Pitcock <nenolod@nenolod.net>,
Jilles Tjoelker <jilles@stack.nl>,
Valery Yatsko <dwr@darkwire.ru>,
Michael Tharp <gxti@partiallystapled.com>
* URL : http://www.ircd-charybdis.net
* License : GPL
Programming Lang: C
Description : fast, scalable irc server
Charybdis is a fast, scalable IRC server, capable of supporting
tens of thousands of connections. It supports SSL and X.509
certificate challenge-response authentication.

Like oftc-hybrid, I intend to link this to OpenSSL. Since nobody
seems to care about that, I'm going to assume that it's OK.

-- System Information:
Debian Release: lenny/sid
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Jun 09, 2008 at 11:43:53PM -0500, William Pitcock wrote:

> * URL : http://www.ircd-charybdis.net
> * License : GPL
>
> Like oftc-hybrid, I intend to link this to OpenSSL. Since nobody
> seems to care about that, I'm going to assume that it's OK.

People DO care, and it is not OK. Linking with OpenSSL is only allowed
if there is an exemption to the license of charybdis that explicitly
allows linking to the OpenSSL. See for example this page which gives a
nice summary and links to some related debian-legal emails:

http://www.gnome.org/~markmc/openssl-and-the-gpl.html

--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@debian.org>

2008/6/10 Guus Sliepen <guus@debian.org>:
> On Mon, Jun 09, 2008 at 11:43:53PM -0500, William Pitcock wrote:
>
>> * URL : http://www.ircd-charybdis.net
>> * License : GPL
>>
>> Like oftc-hybrid, I intend to link this to OpenSSL. Since nobody
>> seems to care about that, I'm going to assume that it's OK.
>
> People DO care, and it is not OK. Linking with OpenSSL is only allowed
> if there is an exemption to the license of charybdis that explicitly
> allows linking to the OpenSSL. See for example this page which gives a
> nice summary and links to some related debian-legal emails:
>
> http://www.gnome.org/~markmc/openssl-and-the-gpl.html

I don't know if it's possible, but you might want to try to link it to
GNUTLS [1] instead.

Greetings,
Miry

[1] http://www.gnu.org/software/gnutls/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Hi,

On Tue, 2008-06-10 at 11:21 +0200, Guus Sliepen wrote:
> On Mon, Jun 09, 2008 at 11:43:53PM -0500, William Pitcock wrote:
>
> > * URL : http://www.ircd-charybdis.net
> > * License : GPL
> >
> > Like oftc-hybrid, I intend to link this to OpenSSL. Since nobody
> > seems to care about that, I'm going to assume that it's OK.
>
> People DO care, and it is not OK. Linking with OpenSSL is only allowed
> if there is an exemption to the license of charybdis that explicitly
> allows linking to the OpenSSL. See for example this page which gives a
> nice summary and links to some related debian-legal emails:

It is likely impossible to add an exemption to most IRCd notable
exceptions include ngircd or inspircd, because some of the original
"ircd 2.8" contibutors are now dead.

Due to packet interception and logging, SSL support in IRC daemons is
becoming a hot topic. Without OpenSSL, packaging charybdis is pointless
for me, as the whole idea of packaging it would be to make it easier to
install on my systems. And without OpenSSL, it isn't easier for me to
install because I would have to rebuild the package with OpenSSL.

So, in a nutshell, nobody in the current IRCd development community
cares about perceived GPL+OpenSSL compatibility issues, so only Debian
does, which is "ok", but that's not so useful when Debian is already
shipping packages linked against OpenSSL with no exception (see below).

Here's some packages which are linked against OpenSSL and should not be
(this is not an all exhaustive list, you should grep-dctrl on a Sources
or something):

- epic4 (impossible to get an exception, dead contributors)
- inspircd would but I chose not to build that module because they ship
a gnutls one instead (charybdis is basically stuck with openssl due to
using libcrypto directly)
- oftc-hybrid (impossible to get an exception, dead contributors)
- openvpn (may or may not have exception, more checking needed)
- xchat (might be possible to get an exception, but author doesn't care
about GPL anyway, see also: Shareware XChat for win32)
- znc (status unknown, but i see no exception in the source)

So, in the grand scheme of things, I don't really think one more package
linked against OpenSSL is going to hurt anything.

If it makes you happy, I could bolt an exception on the code, but I
doubt it would hold water due to the fact that there are dead copyright
holders. But at the moment, porting to GnuTLS is really not an option,
as I would have to port to GCrypt too for the cert exchange, and that
couldn't be easily done with libgnutls-extra. I suppose using
libgnutls-extra and not supporting X.509 cert auth for gaining admin
access is an acceptable compromise provided that libgnutls-extra
implements enough of the OpenSSL API.

William

William Pitcock wrote:

- epic4 (impossible to get an exception, dead contributors)


You are wrong to the "impossible to get an exception, dead
contributors", in this sentence and in other sentences:


The copyright go to the heirs, so you could contact the
heirs.

Anyway, we should follow the copyright law.
If we do exception to GPL, other people will
think they could also make esceptions to GPL,
losing the value of the GPL, and all people will
lose.

Don't think only on these project, where it would
be very convenient to make exceptions, but if you
broke in one place the GPL, why our users should not
make additional exceptions and not disclose sources?

So this annoyance will allow us to sue people violating
the GPL. Think: it is a great advantage!

ciao
cate


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

This one time, at band camp, William Pitcock said:
> Hi,
>
> On Tue, 2008-06-10 at 11:21 +0200, Guus Sliepen wrote:
> > On Mon, Jun 09, 2008 at 11:43:53PM -0500, William Pitcock wrote:
> >
> > > * URL : http://www.ircd-charybdis.net
> > > * License : GPL
> > >
> > > Like oftc-hybrid, I intend to link this to OpenSSL. Since nobody
> > > seems to care about that, I'm going to assume that it's OK.
> >
> > People DO care, and it is not OK. Linking with OpenSSL is only allowed
> > if there is an exemption to the license of charybdis that explicitly
> > allows linking to the OpenSSL. See for example this page which gives a
> > nice summary and links to some related debian-legal emails:
>
> So, in a nutshell, nobody in the current IRCd development community
> cares about perceived GPL+OpenSSL compatibility issues, so only Debian
> does, which is "ok", but that's not so useful when Debian is already
> shipping packages linked against OpenSSL with no exception (see below).

Upstreams being brain dead about licensing issues is not something
really new, unfortunately. This issue has been done to death already,
and it seems to me that protesting that we have some other similar bugs
is not a justification to introduce a new one.

For GPLv3, it does seem like AJ's idea of putting openssl in essential
is a reasonable one, and I'd quite like to see it. That doesn't help
GPLv2 only apps, though, so I think we're just going to have to live
with the status quo on that one.
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------

On 11412 March 1977, William Pitcock wrote:

> So, in a nutshell, nobody in the current IRCd development community
> cares about perceived GPL+OpenSSL compatibility issues, so only Debian
> does, which is "ok", but that's not so useful when Debian is already
> shipping packages linked against OpenSSL with no exception (see below).

> Here's some packages which are linked against OpenSSL and should not be
> (this is not an all exhaustive list, you should grep-dctrl on a Sources
> or something):

> So, in the grand scheme of things, I don't really think one more package
> linked against OpenSSL is going to hurt anything.

Feel free to file bugs, thats why the BTS is open for everyone.

But thanks that you told us which package to not accept but just reject
from NEW. Always good to have people help us.

--
bye, Joerg
Contrary to common belief, Arch:i386 is *not* the same as Arch: any.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 10-Jun-08, 06:38 (CDT), William Pitcock <nenolod@sacredspiral.co.uk> wrote:
> - openvpn (may or may not have exception, more checking needed)

The copyright file has the necessary exceptions.

Steve


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Tue, Jun 10, 2008 at 06:38:19AM -0500, William Pitcock wrote:
> Here's some packages which are linked against OpenSSL and should not be
> (this is not an all exhaustive list, you should grep-dctrl on a Sources
> or something):

And what is grep-dctrl supposed to tell anyone? There are lots of packages
that build-depend on openssl. How do you intend for anyone to draw
conclusions based on the build-depends alone, without reference to license?

Or are you just trying to send anyone who disagrees with you on a fool's
errand, so they won't interfere with your ITP?

> - epic4 (impossible to get an exception, dead contributors)

debian/copyright shows a BSD license.

> - inspircd would but I chose not to build that module because they ship
> a gnutls one instead (charybdis is basically stuck with openssl due to
> using libcrypto directly)

... therefore not analogous, so why do you include it in this list?

> - oftc-hybrid (impossible to get an exception, dead contributors)

* As a special exception, the authors give permission to link the code of this
* release of oftc-hybrid with the OpenSSL project's "OpenSSL" library (or
* with modified versions of it that use the same license as the "OpenSSL"
* library), and distribute the linked executables. You must obey the GNU
* General Public License in all respects for all of the code used other than
* "OpenSSL". If you modify the code, you may extend this exception to your
* version of the files, but you are not obligated to do so. If you do not
* wish to do so, delete this exception statement from your version.

> - openvpn (may or may not have exception, more checking needed)

Has an exception, already mentioned.

> - xchat (might be possible to get an exception, but author doesn't care
> about GPL anyway, see also: Shareware XChat for win32)

License:

This program is released under the GPL v2 with the additional exemption
that compiling, linking, and/or using OpenSSL is allowed. You may
provide binary packages linked to the OpenSSL libraries, provided that
all other requirements of the GPL are met.
See file COPYING for details.

The debian/copyright on this one is rather horrid looking, it lists 6
licenses in a row with no indication of which license applies to what
components. This probably warrants a bug report for clarification; but at
first look, it appears that the effort has already been made to secure an
exception for the components that require it.

> - znc (status unknown, but i see no exception in the source)

In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.

> So, in the grand scheme of things, I don't really think one more package
> linked against OpenSSL is going to hurt anything.

No, you're the only one who seems to be playing fast and loose with
licensing here. *None* of the examples you've cited to try to support your
position appear to have the licensing problem in question; everyone else is
making a good-faith effort to get this right.

> If it makes you happy, I could bolt an exception on the code, but I
> doubt it would hold water due to the fact that there are dead copyright
> holders.

There are dead /authors/, not dead copyright holders. Dead people can't
hold copyright; copyright transfers to the heirs when the author dies.

The reason it wouldn't hold water is that exceptions have to be granted by
the copyright holders. You can't bolt an exception on *for* them, you need
to get this approved by the people who actually hold copyright on this code.

You can of course provide an exception for any of your own code, but that
doesn't result in a distributable binary package unless yours is the only
code used in the program that links to OpenSSL.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Tue, 2008-06-10 at 10:46 -0700, Steve Langasek wrote:
> > - oftc-hybrid (impossible to get an exception, dead contributors)
>
> * As a special exception, the authors give permission to link the
> code of this
> * release of oftc-hybrid with the OpenSSL project's "OpenSSL"
> library (or
> * with modified versions of it that use the same license as the
> "OpenSSL"
> * library), and distribute the linked executables. You must obey
> the GNU
> * General Public License in all respects for all of the code used
> other than
> * "OpenSSL". If you modify the code, you may extend this exception
> to your
> * version of the files, but you are not obligated to do so. If you
> do not
> * wish to do so, delete this exception statement from your version.

You've been conned. OFTC-Hybrid is based on Hybrid which is based on 2.8
and therefore cannot add such an exception; it is effectively in the
same boat that charybdis is in. I could lie and add the same exception
to my debian/copyright too, but it wouldn't be true and it wouldn't be
right to do so.

Furthermore, a grep of that string in the source brings no results other
than debian/copyright, which demonstrates that nothing actually HAS this
exception anyway:

nenolod@petrie:~/oftc-hybrid-1.6.3.dfsg$ grep "As a special exception,
the authors give permission" * -R
debian/copyright: * As a special exception, the authors give permission
to link the code of this
nenolod@petrie:~/oftc-hybrid-1.6.3.dfsg$

At any rate, I intend to wait until version 3.1 of charybdis anyway now,
which has a GNUTLS backend (I've written it, and it just needs to be
debugged).

William