CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)

[Didier 'OdyX' Raboud]

Hi all,

this "GnuTLS in Debian" thread triggered my switch of the src:cups 
package from linking against GnuTLS to now link against OpenSSL. CUPS is 
GPL-2 only with an OpenSSL exception.

Today, Andreas rightly pointed to me that this induces a problem (for 
Debian) for all GPL-without-OpenSSL-exception programs linked against 
libcups2. As far as I understand our current stance on that problem, 
GPL-licensed programs without an OpenSSL exception are absolutely 
forbidden to link with it, even indirectly.

Now, for the actual situation: I initially switched cups following my 
option 0) aka:

0) "move away from GnuTLS as its newer versions are incompatible with
GPL-2, use OpenSSL as cups is allowed to be linked against it"

… but I had overlooked the indirect linking problem.

Now, as far as I understood the thread, there are suggestions floating 
around to stop caring about this incompatibility and just consider "as a 
project" that OpenSSL is a system library, but this decision hasn't been 
formally taken yet.

So as far as CUPS is concerned, I see three ways forward:

1) revert the switch to OpenSSL and link against GnuTLS 2. This
   basically postpones the question to the moment when GnuTLS 2 is
   removed from Debian. As I understood the thread, GnuTLS 2 is likely
   to be removed from testing before the freeze, right?

2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and
   CUPS is GPL-2 only.

3) report RC bugs against all packages linking against libcups2
   which licenses don't allow indirect linking to OpenSSL (mostly GPL-
   -without-OpenSSL-exception) and hope that fixes can be found license-
   -wise. There are >= 38 packages build-depending on libcups2-dev and
   >= 120 packages depending on libcups2. Also, I am not aware of tools 
   to detect this incompatibility automatically. I also doubt we'll be
   able to find solutions for all packages; yet libcups2 is quite
   important in desktop stacks.

So there is apparently no good solution on the long-term if the need for 
OpenSSL exceptions isn't waived. For now, I'm leaning towards solution 
1) to avoid willingly introducing dozens of RC bugs in testing when 
libcups2 enters testing (unless I create a "maintainer RC bug" blocked 
by all the 3)-created bugs).

I would really welcome opinions and advices on this matter.

Many thanks in advance, cheers,

OdyX

signature.asc
Description: This is a digitally signed message part.

Re: CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)

[Ben Hutchings]

On Sat, 2014-01-11 at 17:55 +0100, Didier 'OdyX' Raboud wrote:
> Hi all,
> 
> this "GnuTLS in Debian" thread triggered my switch of the src:cups 
> package from linking against GnuTLS to now link against OpenSSL. CUPS is 
> GPL-2 only with an OpenSSL exception.
> 
> Today, Andreas rightly pointed to me that this induces a problem (for 
> Debian) for all GPL-without-OpenSSL-exception programs linked against 
> libcups2. As far as I understand our current stance on that problem, 
> GPL-licensed programs without an OpenSSL exception are absolutely 
> forbidden to link with it, even indirectly.
[...]

I think this is an absurd interpretation.  It is certainly not being
applied to linux-tools, where we have perf linked against libpython
linked against OpenSSL.

Ben.

-- 
Ben Hutchings
Always try to do things in chronological order;
it's less confusing that way.


signature.asc
Description: This is a digitally signed message part

Re: GnuTLS in Debian

[Игорь Пашев]

Do I understand correctly the following:

Application M under the MIT license linked to LGPL3 library L - ok
Application C under the CDDL license linked to LGPL3 library L - ok
Application G under the GPL3 license linked to LGPL3 library L - ok,
all under GPL3

Bang!

Application M is now under the GPL3 ?
Application C is now illegally linked to L ?


:-)


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CALL-Q8ztfuhcVUxmkqg7qWVBdVLfs-dcMeK=7nvkzz5nfnq...@mail.gmail.com

Re: CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)

[Svante Signell]

On Sat, 2014-01-11 at 17:55 +0100, Didier 'OdyX' Raboud wrote:
> Hi all,
> 
> this "GnuTLS in Debian" thread triggered my switch of the src:cups 
> package from linking against GnuTLS to now link against OpenSSL. CUPS is 
> GPL-2 only with an OpenSSL exception.

> Now, as far as I understood the thread, there are suggestions floating 
> around to stop caring about this incompatibility and just consider "as a 
> project" that OpenSSL is a system library, but this decision hasn't been 
> formally taken yet.
> 
> So as far as CUPS is concerned, I see three ways forward:
> 
> 1) revert the switch to OpenSSL and link against GnuTLS 2. This
>basically postpones the question to the moment when GnuTLS 2 is
>removed from Debian. As I understood the thread, GnuTLS 2 is likely
>to be removed from testing before the freeze, right?
> 
> 2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and
>CUPS is GPL-2 only.

What are the chances of cups re-licensing (dual-licensing) to GPL2+?
This would be a step in the right direction. (in worst case use some
other software package than cups as default for printing)


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1389462256.3662.22.camel@PackardBell-PC

Re: GnuTLS in Debian

[Svante Signell]

On Sat, 2014-01-11 at 21:37 +0400, Игорь Пашев wrote:
> Do I understand correctly the following:
> 
> Application M under the MIT license linked to LGPL3 library L - ok
> Application C under the CDDL license linked to LGPL3 library L - ok
> Application G under the GPL3 license linked to LGPL3 library L - ok,
> all under GPL3
> 
> Bang!
> 
> Application M is now under the GPL3 ?

Not a chance, application M stays under the MIT license.

> Application C is now illegally linked to L ?
> 
> 
> :-)
> 
> 



-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1389462864.3662.24.camel@PackardBell-PC

Re: CUPS is now linked against OpenSSL

[Andreas Metzler]

Svante Signell  wrote:
[...]
> What are the chances of cups re-licensing (dual-licensing) to GPL2+?
> This would be a step in the right direction. (in worst case use some
> other software package than cups as default for printing)

I'd guess minimal, iirc Apple has no love for GPLv3.
cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/98e8qa-1uu@argenau.downhill.at.eu.org

Re: CUPS is now linked against OpenSSL

[Matthias Klumpp]

2014/1/11 Andreas Metzler :
> Svante Signell  wrote:
> [...]
>> What are the chances of cups re-licensing (dual-licensing) to GPL2+?
>> This would be a step in the right direction. (in worst case use some
>> other software package than cups as default for printing)
>
> I'd guess minimal, iirc Apple has no love for GPLv3.
Changing this would only mean that CUPS forks have the option to be
distributed under GPLv3. I don't see a reason why Apple should be
against this.
But I guess a decision like this would run with low priority over there...
Cheers,
Matthias

-- 
Debian Developer | Freedesktop-Developer
I welcome VSRE emails. See http://vsre.info/


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAKNHny-x=3wjuhq1spxdy6htsbwkxtckzpnoocqkopk7plu...@mail.gmail.com

Re: CUPS is now linked against OpenSSL

[Russ Allbery]

Matthias Klumpp  writes:

> Changing this would only mean that CUPS forks have the option to be
> distributed under GPLv3. I don't see a reason why Apple should be
> against this.

Apple appears to be against anything containing the phrase GPLv3, to the
extent that their employees were even forbidden from reading GCC mailing
lists once the project started considering GPLv3 patches.  Presumably
their lawyers freaked out about something in the license, possibly the
patent handling.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/874n5axsx5@windlord.stanford.edu

Re: CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)

[Steve Langasek]

On Sat, Jan 11, 2014 at 05:24:16PM +, Ben Hutchings wrote:
> On Sat, 2014-01-11 at 17:55 +0100, Didier 'OdyX' Raboud wrote:
> > Hi all,
> > 
> > this "GnuTLS in Debian" thread triggered my switch of the src:cups 
> > package from linking against GnuTLS to now link against OpenSSL. CUPS is 
> > GPL-2 only with an OpenSSL exception.
> > 
> > Today, Andreas rightly pointed to me that this induces a problem (for 
> > Debian) for all GPL-without-OpenSSL-exception programs linked against 
> > libcups2. As far as I understand our current stance on that problem, 
> > GPL-licensed programs without an OpenSSL exception are absolutely 
> > forbidden to link with it, even indirectly.
> [...]

> I think this is an absurd interpretation.  It is certainly not being
> applied to linux-tools, where we have perf linked against libpython
> linked against OpenSSL.

$ ldd /usr/bin/perf_3.12 |grep ssl
$

This is not an analogous situation.  libpython does *not* link against
OpenSSL; it merely supports dynamically loading libssl on behalf of python
programs that request it.  So perf is not loading OpenSSL into memory, and
there is no GPL problem here.  I would suggest dropping the disclaimer from
the copyright file, as it's not really applicable.

Had the situation actually been analogous, with perf calling into openssl
code via libpython, I would have filed a serious bug against linux-tools in
response to your message.  This is not a matter that maintainers are
entitled to exercise their own opinions on; if Debian were to decide to no
longer hold itself to the letter of the GPL, that's a decision for the
project to make as a whole.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Re: CUPS is now linked against OpenSSL

[Cameron Norman]

El sáb, 11 de ene 2014 a las 10:41 , Russ Allbery  
escribió:

Matthias Klumpp  writes:


 Changing this would only mean that CUPS forks have the option to be
 distributed under GPLv3. I don't see a reason why Apple should be
 against this.

Apple appears to be against anything containing the phrase GPLv3, to 
the
extent that their employees were even forbidden from reading GCC 
mailing

lists once the project started considering GPLv3 patches.  Presumably
their lawyers freaked out about something in the license, possibly the
patent handling.



It seems like it was the tivo-ization stuff. They license a lot of 
their stuff under the Apache v2 license, so I do not think it is the 
patent provisions that frighten them.


--
Cameron Norman

Re: CUPS is now linked against OpenSSL

[Daniel Kahn Gillmor]

On 01/11/2014 11:55 AM, Didier 'OdyX' Raboud wrote:
> So as far as CUPS is concerned, I see three ways forward:
> 
> 1) revert the switch to OpenSSL and link against GnuTLS 2. This
>basically postpones the question to the moment when GnuTLS 2 is
>removed from Debian. As I understood the thread, GnuTLS 2 is likely
>to be removed from testing before the freeze, right?
> 
> 2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and
>CUPS is GPL-2 only.
> 
> 3) report RC bugs against all packages linking against libcups2
>which licenses don't allow indirect linking to OpenSSL (mostly GPL-
>-without-OpenSSL-exception) and hope that fixes can be found license-
>-wise. There are >= 38 packages build-depending on libcups2-dev and
>>= 120 packages depending on libcups2. Also, I am not aware of tools 
>to detect this incompatibility automatically. I also doubt we'll be
>able to find solutions for all packages; yet libcups2 is quite
>important in desktop stacks.

There is a fourth way forward -- loath though i am to propose it --
which is to avoid enabling TLS in CUPS at all until upstream gets their
act together and does something sensible, both licensing-wise and
crypto-wise.

last i checked, cups does not support certificate validation or checking
[0], making the crypto vulnerable to any active attacker:

[0] http://www.cups.org/str.php?L1616

According to the roadmap [0] this is due on the 2.0 branch, but i
haven't seen it yet.

[1] http://www.cups.org/roadmap.php

This is a terrible solution, but an encryption layer that silently fails
open in the presence of an adversary is a bad thing too, especially if
it introduces all sorts of licensing gymnastics.

The idea of opening RC bugs against everything that links to libcups2 to
demand an OpenSSL exception sounds really, really ugly to me.  what
about the packages that link to those packages?  I'd rather see less
OpenSSL, not more, because of its mutual incompatibility  with the GPL.

Modern versions of GnuTLS could be GPL2+ if GMP relaxes their licensing,
which would also solve this situation, and would be a better win for
copyleft and free software all around.

If we're willing to go around asking folks for changes to their
licensing, my preferences would be (highest preferences first):

 0) ask CUPS to move from GPL2 to GPL2+ (with or without OpenSSL exception)

 1) ask GMP to switch back from LGPLv3+ to LGPLv2+ (it made the change
in 4.2.2).  Does anyone have a strong

 2) turn off TLS support in CUPS until upstream works things out and
actually provides some cryptographic defense against an active attacker

 3) drive bamboo shoots under my fingernails

 4) patch CUPS to use some other GPL2-compatible TLS implementation
(libnss?  polarssl?)

 5) ask dozens of packages which already have reasonable copyleft
licensing to make openssl execptions, iterating until we've covered
everything contaminated with this mess.

(ok, maybe 3 and 4 are actually tied)

happy hacking,

--dkg



signature.asc
Description: OpenPGP digital signature

Re: CUPS is now linked against OpenSSL

[Daniel Kahn Gillmor]

On 01/11/2014 02:22 PM, Daniel Kahn Gillmor wrote:

>  1) ask GMP to switch back from LGPLv3+ to LGPLv2+ (it made the change
> in 4.2.2).  Does anyone have a strong

Bah.  This was supposed to say "Does anyone have a strong relationship
with GMP maintainers who could open this conversation with them?"

i'd be willing to participate to that discussion if someone can make
good introductions to get the ball rolling.

Regards,

--dkg



signature.asc
Description: OpenPGP digital signature

Re: CUPS is now linked against OpenSSL

[Russ Allbery]

Daniel Kahn Gillmor  writes:
> On 01/11/2014 02:22 PM, Daniel Kahn Gillmor wrote:

>>  1) ask GMP to switch back from LGPLv3+ to LGPLv2+ (it made the change
>> in 4.2.2).  Does anyone have a strong

> Bah.  This was supposed to say "Does anyone have a strong relationship
> with GMP maintainers who could open this conversation with them?"

> i'd be willing to participate to that discussion if someone can make
> good introductions to get the ball rolling.

Isn't GMP an official GNU project?  I thought the FSF had an
organization-wide policy to relicense all of their packages to v3 or
later.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87txdaw9y0@windlord.stanford.edu

Bug#735016: ITP: openlayer -- hardware accelerated 2D Graphics library

[Georges Khaznadar]

Package: wnpp
Severity: wishlist
Owner: Georges Khaznadar 

* Package name: openlayer
  Version : 2.1
  Upstream Author : Esa Tanskanen 
* URL : http://openlayer.berlios.de/
* License : GPL-2+
  Programming Lang: C++
  Description : hardware accelerated 2D Graphics library
  OpenLayer is a hardware accelerated 2D Graphics library. It specifies
  a new api to be used alongside of Allegro and takes control of how
  the contents of the screen are rendered and uses OpenGL functions
  through AllegroGL to allow hardware acceleration.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20140111213122.27315.73924.report...@georges.khaznadar.fr

Re: CUPS is now linked against OpenSSL

[Ian Jackson]

Russ Allbery writes ("Re: CUPS is now linked against OpenSSL"):
> Isn't GMP an official GNU project?  I thought the FSF had an
> organization-wide policy to relicense all of their packages to v3 or
> later.

Perhaps we might be able to persaude them to make an exception for
GMP.  The FSF certainly recognise that licensing decisions are a
question of tactics.

The argument I would make (because I believe in it) is that lack of
good cryptographic software is a bigger threat to the freedom of users
than tivoisation (and, the other downsides of GPLv2 compared to v3).
I'm no fan of TLS but it is very unfortunate that we are considering
further weakening security provisions in printing protocols, for
example, because of this kind of licensing problem.

(This is true even though a GPLv2+ GMP can be used as _part of_ a
cryptographically enforced tivoisation setup, whereas a GPLv3+ GMP can
only be part of such a system at the "mater" rather than "slave" end.)

For vaguely analogous reasons we (the free software world) try to make
our codecs have very liberal licences.

Ian.


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/21201.52641.560191.663...@chiark.greenend.org.uk

Re: CUPS is now linked against OpenSSL

[Holger Levsen]

Hi Ian,

On Sonntag, 12. Januar 2014, Ian Jackson wrote:
> The argument I would make (because I believe in it) is that lack of
> good cryptographic software is a bigger threat to the freedom of users
> than tivoisation (and, the other downsides of GPLv2 compared to v3).

absolutly agreed! Please go for it!

> I'm no fan of TLS but it is very unfortunate that we are considering
> further weakening security provisions in printing protocols, for
> example, because of this kind of licensing problem.
[...]
> For vaguely analogous reasons we (the free software world) try to make
> our codecs have very liberal licences.

also.


cheers,
Holger




signature.asc
Description: This is a digitally signed message part.

removal of the vacation package

[Marco d'Itri]

I stopped maintaining it years ago and nobody ever bothered to ask me 
about it...
It does not support MIME and a lot of other things that are required to 
be a good citizen in today's Internet, so unless somebody has some 
really compelling arguments to keep it around and wants to adopt it 
I will request removal from the archive.

-- 
ciao,
Marco


signature.asc
Description: Digital signature