Package: libmariadb3 Version: 1:10.3.12-2 Severity: serious Affects: w1retap Justification: renders many Debian packages undistributable
Hello, It's come to my attention that in buster and unstable, packages which build-depend on default-libmysqlclient-dev wind up linked against libmariadb3, which in turn links against OpenSSL (libssl1.1). This includes software which is licensed under the GPL and uses the MySQL APIs. (Example: w1retap) It is well understood that the OpenSSL license is not "compatible" with the GPL (either version 2 or 3); and furthermore, Debian has long taken the position that, unless a license exception is granted by the copyright holders, a package which is distributed under the GPL must only link to libraries whose licenses are also GPL-compatible in order for it to be included in Debian. There is bug #787118 requesting that mariadb-server use OpenSSL instead of YaSSL; this bug is still open in the BTS despite the fact that mariadb does now link against OpenSSL. This bug also acknowledges the need for a license exception for MariaDB itself to ship linked against OpenSSL, but the license compatibility problem for reverse-dependencies of the client library seems to have been overlooked. I cannot find any discussion of the switch from yassl to openssl in the mariadb-10.3 changelog, so as near as I can see, there has been no explicit consideration of the licensing implications. I am opening this as a serious bug, since I believe this makes a large and indeterminate number of packages non-distributable in buster. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature
