Bug#792639: apt-listbugs: should use https to access bug tracking system

Sun, 05 Mar 2017 15:52:05 -0800 

First of, apologizes for opening duplicate #856844…  I apparently
overlooked this one while browsing though the list of existing bug
reports :-/

On Thu, 30 Jul 2015 at 22:35:17 +0200, Francesco Poli wrote:
> Now, the bad news is that I remembered that the libruby module
> providing SSL support links with libssl. And the OpenSSL license is
> well known to be GPL-incompatible.
> apt-listbugs is GPL-licensed and loads a number of GPL-licensed Ruby
> libraries: as a consequence, there may be license incompatibility
> issues preventing the distribution of a version of apt-listbugs which
> uses SSL.
> This licensing issue needs to be carefully investigated.
> I will try and see what can be done about it.
> Sadly, I will have to put the patch aside, until this situation is
> solved for the best.

FYI a similar issue (dynamic linking against libssl in the context of
python-pypump) was brought up to debian-legal two years ago:

    https://lists.debian.org/debian-legal/2015/01/msg00020.html
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740990
    https://github.com/xray7224/PyPump/issues/101

“OK. It can't hurt to try - this does seem like a special case.”  The
FTP masters didn't reject the GPL-3+'ed (without OpenSSL exception)
code:

    https://tracker.debian.org/media/packages/p/python-pypump/copyright-0.7-1


An older thread on debian-python mentioning the same problem:

    https://lists.debian.org/debian-python/2011/03/msg00082.html
    In my case I am talking about a GPLv3+ package that exists in Debian --
    kupfer

    Where do I draw the line for using/linking against ssl?

    a) Using Python2.6
    b) Unintentionally introducing _ssl or ssl into the imported modules
       (import any of urllib, httplib, socket etc!)
    c) Unintentionally using ssl  (use urllib.urlopen on URL provided by
       user -- if it's https we are using openssl)
    d) Intentionally using ssl (import ssl and use
       httplib.HTTPSConnection and verify certificates)

    Kupfer is today at (c) in the debian archive. It exists in
    development version at (d).

(AFAICT apt-listbugs would be at (b).)  The kupfer package is still in
main, released under GPL-3+ (without OpenSSL exception):

    https://tracker.debian.org/media/packages/k/kupfer/copyright-0%2Bv208-6

-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to